Error: The signature key was not found


#1

Hi. I’m trying to do the server setup as described here https://developer.okta.com/quickstart/#/widget/dotnet/aspnetcore. In my ASP.NET Core 2.0 solution I added the following:

services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options => {
            options.Authority = "https://[my okta url].com/oauth2/default";
            options.Audience = "api://default";
        });

and:

app.UseAuthentication();

In my FE app I’m sending the access token as:

config.headers.Authorization = "Bearer " + auth.oktaSignIn.tokenManager.get("accessToken").accessToken;

When I try to make a request to a route decorated with the Authorize attribute, I get 401 Unauthorized with the following error:

Bearer error="invalid_token", error_description="The signature key was not found"

I’m using the default authorization server.


Invalid signature in Access and Id Token
#2

I’m glad to see you are using the default authorization server.

Check a couple things for me:

  1. Are you setting the issuer in your widget / auth js?
  2. If you are, is the issuer the same as your default authorization server?
  3. Double check that the [my okta url] is correct

If you want to do some troubleshooting, you can drop the access token JWT into jsonwebtoken.io and get the kid field from the jwt header. After you get the kid, you can check your authorization server’s keys by going to https://[my okta org].com/oauth2/default/v1/keys

This will give you the list of public keys by ID.

Hope this information helps you troubleshoot. Let me know if you still have problems!


VueJS + Api Core .net - Signature validation failed. Unable to match ‘kid'
#3

Hi Tom. Indeed I wasn’t setting the authParams.issuer property in the widget config. Setting that fixed the problem.

Thank you!


#4

Awesome - glad that fixed it!


#5

Hi Tom,

https://[myorg].okta.com/oauth2/default/v1/keys returns an error for me, {“errorCode”:“E0000006”,“errorSummary”:“You do not have permission to perform the requested action”,“errorLink”:“E0000006”,“errorId”:“oaeCYHjg3K4Tlut8L2a4hcFZw”,“errorCauses”:[]}, and I am getting the same error as described above, any suggestions?

Thank you!


#6

How did you create your org? Was it developer.okta.com? Or is this an IT Product org?


#7

It is an IT Product org created by the client we are integrating for. We opened a case and figured out fairly quickly that they did not have API Management Access purchased, hence the suite of issues we encountered.

It would be really helpful if it would be clear in the documentation that these scenarios work only for developer accounts or enterprise accounts with API Management Access purchased. Also, the “Unlimited OAuth 2.0 authorization servers” verbiage in the API Management Access is misleading, it creates the impression that a limited level exists, while it does not.


#9

I am facing the same issue.How did you manage to get it working.


#10

Does it mean we can’t create an Authorization Server for an IT Product org?


#11

We did not get it to work. We figured out what we did not have the “API Management Access” purchased on the IT product org account we were using, so that authentication token could not be used because an authorization server is not available unless you have an IT product org account with “API Management Access” or a developer account.


#12

You can create an authorization server for an IT product org if you have purchased “API Management Access” as well, otherwise you cannot. The documentation is somewhat misleading.


#13

I’ve contacted developer support and I was advised “not to validate the token” from our .net code.
And need to call the /v1/userinfo end point to get user info.

I did below steps and got it working in .net core 2.0. Unfortunately our existing application is using core 1.0 and no SET method for SecurityTokenValidator.

New Validator Class

  1. public class CustomSecurityValidator : ISecurityTokenValidator
  • override the ValidateToken method to not validate the token

Startup.cs
2. options.SecurityTokenValidator = new CustomSecurityValidator();
3. OnTokenValidated event, call /v1/userinfo end point manually and add the user info to ctx.Principal

Hope the above useful to someone.

It will be good if OKTA .net core middleware can handle this scenario.