Failed to validate token in .NET Core 2.1 Web API

jkemmerer · December 17, 2018, 9:13pm

Here is the stack trace:

2018-12-17 20:51:09.993 +00:00 [Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden]', 
token: '[PII is hidden]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Okta.AspNet.Abstractions.StrictTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Okta.AspNet.Abstractions.StrictSecurityTokenValidator.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2018-12-17 20:51:09.994 +00:00 [Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden]', 
token: '[PII is hidden]'.

Relevant code:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
        options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
        options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
    })
    .AddOktaWebApi(new OktaWebApiOptions()
    {
        OktaDomain = Configuration["Okta:Domain"],
        ClientId = Configuration["Okta:ClientId"],
        Audience = "api://default"
    });
}

Then I have the [Authorize] attribute on my controller.
Works in dev with https://dev-{id}.oktapreview.com/oauth2/default, but not when I publish to Azure with https://{domain}.okta.com.

jkemmerer · January 3, 2019, 6:32pm

The code for the sample project doesn’t work in my project:

So I switched back to what I used in previous APIs, and now it works.

JoshBflo · August 1, 2019, 3:32pm

I know this is a pretty old topic but I’m getting the same error message in my .Net Core 2.2 Web Api. I’m seeing it when I switch my Front-End (Angular) authentication flow from Implicit to Authorization Code. In my case it’s flagging both ‘kid’ and ‘token’ as problems.

What did you switch back to to fix this on your end? My API Okta config is set to all the defaults from the samples.

dragos · August 5, 2019, 12:51am

Hi @JoshBflo

Due to RFC restrictions on the Okta authorization server, in order to be able to verify JWT tokens locally, you need to use a custom authorization server created through API Access Management feature. This is a free feature for preview and developer orgs, but a paid one in production.

JoshBflo · August 5, 2019, 11:45am

Hi @dragos. I do have a custom authorization server set up (default) that I am using for this. With the front-end logging in using the implicit flow the API can validate the token and see some custom claims using the basic .net setup in the examples.