.NET Error DX10501: Signature validation failed. Unable to match key

Rizo · July 29, 2021, 4:40pm

Hey I am getting the error when trying to call a method.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid:

I am generating my key via postman and trying to call “http://localhost:8000/api/messages” one of your test apps.

I have updated my server side authentication code looks like this

services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
IdentityModelEventSource.ShowPII = true;
})
.AddJwtBearer(options =>
{
options.Authority = “https://dev-XXXXXXXX.okta.com”;
options.Audience = “api://default”;
});

andrea · July 29, 2021, 4:45pm

Take a look at the following article that discusses why you encountered this error: Signature Validation Failed

As noted in our documentation for our own .NET SDK, you CANNOT validate tokens issued by the Org Authorization server (issuer/authority = your okta domain).

Ensure that you are instead using one of the custom authorization servers which are designed to support this use case.

If you change the authority to “https://dev-XXXXXX.okta.com/oauth2/default” and ensure that the tokens you are sending to your API are issued by this same Default Authorization Server, do you still encounter this error?

Rizo · July 29, 2021, 7:17pm

Ok I had abit of a play around and managed to get further I am now getting the exceptions below. Any Help?

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: ‘https://dev-XXXXX.okta.com/oauth2/v1/token/.well-known/openid-configuration’.
—> System.IO.IOException: IDX20807: Unable to retrieve document from: ‘https://dev-XXXXX.okta.com/oauth2/v1/token/.well-known/openid-configuration’. HttpResponseMessage: 'StatusCode: 405, ReasonPhrase: ‘Method Not Allowed’, Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{

andrea · July 29, 2021, 8:44pm

Its not hitting the right endpoint, so it still looks like you have something mis-configured.

If you’re using the Default server (which, like I said, you should be doing if you need to validate the token locally via OWIN), it should be making a request to https://dev-XXXXX.okta.com/oauth2/default/.well-known/openid-configuration’. You can hit this same url in your browser as well as its the public metadata endpoint for this authorization server.

Rizo · July 30, 2021, 8:46am

Hey thanks for all your help getting me set up. So I am going to take your advice and use the default server so my code now looks like this:

services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
IdentityModelEventSource.ShowPII = true;
})
.AddJwtBearer(options =>
{

                options.Authority = "https://dev-XXXXX.okta.com/oauth2/default";
                options.Audience = "api://default";
                });

Is that correct?

I am using postman to generate my token. What are the URL’s I should be using?

I was using
https://dev-xxxx.okta.com/oauth2/v1/authorize
https://dev-xxxx.okta.com/oauth2/v1/token

But using these gives me the original error what are the URL’s I should use.

BTW thanks for all your help it is appreciated.

Rizo · July 30, 2021, 9:32am

I got it working

The postman url’s I used were:

https://dev-xxxx.okta.com/oauth2/default/v1/authorize
https://dev-xxxxx.okta.com/oauth2/default/v1/token

Again thanks for all the help

system · July 31, 2021, 9:32am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.