I am implementing OpenID Connect authentication for a mobile xamarin.ios app I am working on and the .net web service supporting it.
Environment:
- xamarin.ios mobile app using xamarin’s version of the AppAuth.iOS component (works)
- asp.net core mvc web application hosted in Azure as an App Service (works, authentication doesn’t work)
In my test I successfully log in using the mobile app through Okta’s federated web UI, with 2 factor authentication and receive populated AuthState which contains the id token, auth token, refresh token.
As a next step I am trying to test calling a simple endpoint on my web service using jwt authentication with the access token i received from the mobile app.
- This endpoint works without any issues when not secured
- I am trying to test the endpoint by calling it vial Postman by providing the Bearer Token Authorization type and populating the value with the access token received from the mobile app
Result: Bearer error=“invalid_token”, error_description=“The signature key was not found”
I setup the webservice following this Okta article:
In developer dashboard I don’t see any failures in the logs since it seems from the message that the token is failing to validate on the server side of my web service application.
Where else can i look to see why this token is failing to validate?
Am I providing the wrong token?
When I try to decode the token using https://jwt.io/ I get an error message that it has an invalid signature, not sure if that’s relevant or not.
Any help/suggestions at how I can debug this further and get it working would be greatly appreciated.
Dmitry
After inspecting the logs coming from my .net webservice during the token validation failure on requests to secured endpoints I see this error:
9m: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
Failed to validate the token.
`Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: 'WffpNetjfaITPwaP7gDQlK90pZC4xO47FDMa3FX1X10',
token: '{"alg":"RS256","typ":"JWT","kid":"WffpNetjfaITPwaP7gDQlK90pZC4xO47FDMa3FX1X10"}.{"ver":1,"jti":"AT.7QYfubuKuh6ixclkCM06a3XIETR3QYw15uiQhzyqhJs.M0EqM7HebCP4RGdjR5mFTfmtkpSxX5ZLIvkB0oL+UIg=","iss":"https://xxxx.okta.com","aud":"https://xxxx.okta.com","sub":"dsamuylov@xxxx.com","iat":1527779914,"exp":1527783514,"cid":"0oa3xqtucfjboPdt91t7","uid":"00uu4f1rvlhuQwmGa1t6","scp":["offline_access","profile","openid"]}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Failed to validate the token.`
After further inspection of the opendid connect configuration settings from my account, i see that the kid of the key exposed through the keys endpoint doesn’t match the kid of the key used to sign the token i received after authenticating through the AppAuth component using the same okta account and application settings as I am using in the server application that is trying to validate the jwt token.
Either not all keys are exposed in the configuration or there’s some other reason for the keys are not matching up that I’m not seeing. Can anyone from the Okta technical team weigh in on what is happening here please?