Unable to parse JWT through JwtSecurityTokenHandler

kenkelr · 2019-01-11 14:53:32 UTC

Given any JWT I get from Okta, When I get to this part:

JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();

				SecurityToken jwt;

				var result = tokendHandler.ValidateToken(v_IdToken, validationParameters, out jwt);

I always get an exception on the ValidateToken method:

IDX12709: CanReadToken() returned false. JWT is not well formed: ‘[PII is hidden]’.\nThe token needs to be in JWS or JWE Compact Serialization Format. (JWS): ‘EncodedHeader.EndcodedPayload.EncodedSignature’. (JWE): ‘EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag’.

This code parses JWT’s from Microsoft Azure just fine, so I’m not sure what the issue is. Any help on this would be appreciated

Example JWT with this problem:
eyJraWQiOiJ5dGZRVUhfNFE3T3Z6LVg2d2tqelhTaGZoMmQyTE9WbG1fRUNXX21SZ3c0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVpdWZrdnh1TWx5VDYzbzBoNyIsImVtYWlsIjoicmtAZWFnbGVwb2ludC5jb20iLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTQyNTUzMC5va3RhcHJldmlldy5jb20iLCJhdWQiOiIwb2FpdjJ5MXlsdk9yVlF1RzBoNyIsImlhdCI6MTU0NzIxNzI5OSwiZXhwIjoxNTQ3MjIwODk5LCJqdGkiOiJJRC5idVJQbjlhd2VWSlJHZ19JN2tRNlFnek5mYUJrR3ZNM0xPX1poUjJveUJZIiwiYW1yIjpbInB3ZCJdLCJpZHAiOiIwMG9pdWZjaXl3TFlmZ2NSaTBoNyIsIm5vbmNlIjoiMTMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNTQ3MjE3Mjk3fQ.bpCzdiTL1Xz6hmXyHqtIX-9EUwSq9_nhAIPZoB9krluyqzbZugLjJO84FjDMMp9COBrSXzZYS_957Nr6JAd6Bv2NVgEBMmMqS8kx30NMZ_8NkdU6gYLtkk0FKwVz93xWoszStPQn2nlHcgiBQELbPxMLvzIZuf_Iu5d2JY1u15S1ATImbKLcPguIY6Jy1fM6SxcnN3Y5XuO3V94_LMZ3bBAbECBHuBb7xS7pQyz7vips-mh2qMFF4Q2gli8JCn39FiXtzhWeIL3Iv8CahJaMWSEFNVX0h_d2qU_LTqFXXami7vGIYHr6vaZAOTOHkJpYne3JVO3bcFxwNaBO9cPlrg

bdemers · 2019-01-11 16:33:52 UTC

Hey @kenkeir!

Access tokens issued from your root/org URL should be treated as opaque.
For example this one:

https://dev-123456.oktapreview.com
vs
https://dev-123456.oktapreview.com/oauth2/<id>

The second one can be treated as a JWT and validated.

Does that help?

kenkelr · 2019-01-14 16:04:10 UTC

Unfortunately, I’m not getting anything from this url now.

providing that the <id> is the clientID, the url formatted like this:
https://dev-123456.oktapreview.com/oauth2/<id>/v1/authorize

this errors out with : error=invalid_request&error_description=The+authorization+server+id+is+invalid.

The url formatted without the v1:
https://dev-123456.oktapreview.com/oauth2/<id>/authorize
this returns a 400 error on the okta website.

So my thought is that id is not the clientID. What should that value be?

kenkelr · 2019-01-14 16:13:32 UTC

Update to above, I replaced the clientID with default, and I recieved a token again, but I recieve the exact same error as before: CanReadToken() returned false, etc.

I guess I just don’t understand how the jwt from okta is malformed. It is properly subdivided into header, payload, signature. Putting it into an online jwt parser such as jwt.io returns expected data and values.

kenkelr · 2019-01-16 19:52:53 UTC

SOLVED

the issue is that the jwt returned from the auth server contained an end of file escape character (’\0’), which was invisible from a debug text editor, and removed from copy/paste. Removing this character causes the code to work without issue.