[Bug] AspNetCore 7.0 WebApi Authentication Fails (JWT) - Missing Method

[dotnetallday]

Which version of Microsoft.IdentityModel are you using?
6.27.0 (the latest stable version throws the exception)

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft.IdentityModel.*

Repro

builder.Services.AddAuthentication(o => {
        o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(o =>
    {
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ClockSkew = TimeSpan.Zero,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SettingsUtil.Settings.CellaretApiSigningKey)),
            ValidateAudience = true,
            ValidateIssuer = true,
            ValidateIssuerSigningKey = true,
            ValidateLifetime = true,
            ValidAudience = SettingsUtil.Settings.CellaretApiAudience,
            ValidIssuer = SettingsUtil.Settings.CellaretApiIssuer
        };
});

Expected behavior
After being issued a valid JWT token (verified by 3rd party site - jwt.io) and my current above code stop working after NuGet package updates, any web api controller with the [Authorize] attribute incorrectly responds with a 401, despite the valid token being passed as "Bearer". I noticed this issue only after I had updated a number of NuGet packages and finally determined that this package was the culprit through inspection of my console output. It appears the new package is missing a method:

Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration

System.MissingMethodException: Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration, Microsoft.IdentityModel.Tokens.BaseConfiguration ByRef)'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
      Bearer was not authenticated. Failure message: Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration, Microsoft.IdentityModel.Tokens.BaseConfiguration ByRef)'.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Bearer was not authenticated. Failure message: Method not found: 'Boolean Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableConfiguration(Microsoft.IdentityModel.Tokens.TokenValidationParameters, Microsoft.IdentityModel.Tokens.BaseConfiguration, Microsoft.IdentityModel.Tokens.BaseConfiguration ByRef)'.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
      AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/1.1 GET https://localhost:7075/helloworld - - - 401 0 - 52.4040ms

Actual behavior
A 401 response is returned for all API requests, despite valid JWT tokens being passed.

Possible solution
I downgraded to 6.27.0 and this resolved my issue.

Additional context / logs / screenshots / links to code
None.

[BlowaXD]

Hello

We are affected too, bumped version to > 6.27.0 and we now receive 401 on all endpoints requiring JWT authorization

[brentschmaltz]

@dotnetallday @BlowaXD are you using the same versions of the assemblies?

[mcraiha]

This happens with 6.30.0 also.

[brentschmaltz]

@mcraiha @BlowaXD @dotnetallday this can happen when IdentityModel assemblies are not the same version.

[dotnetallday]

@brentschmaltz I made sure all ID assemblies were the same across all my projects in the solution when I did my testing.

[kevinchalet]

ABP, that uses OpenIddict, submitted a similar report, so it's likely a widespread issue (OpenIddict's latest 4.3.0 version references Wilson 6.30.0): openiddict/openiddict-core#1766.

@dotnetallday do you still get an exception if you explicitly reference System.IdentityModel.Tokens.Jwt version 6.30.0 in your .csproj?

[satlom]

I use the latest OpenIddict package which is reference the 4.3.0 version. The only thing that worked for me was to downgrade OpenIdDict to version 4.2.0 which references version 6.25.1 of this assembly. The latest System.IdentityModel.Tokens.Jwt is broken!

[Tentrun]

Same problem.

solution - downgrade to 6.27.0

[brentschmaltz]

@Tentrun @satlom @kevinchalet @dotnetallday looks like a problem, i will investigate.

There was a change from 6.27.0 and 6.28.0 in TokenUtilities.IsRecoverableConfiguration, the matching change was made in JwtSecurityTokenHandler and JsonWebTokenHandler. So is there a possibility that the versions are not in sync?

[Tentrun]

@brentschmaltz yeah, verisions are not a sync

[brentschmaltz]

@Tentrun you are not the only one to hit this, we have a work item to validate that all the IdentityModel assemblies are the same version on startup and either throw or log a warning.

I will remind the team we need to complete that task.

[kevinchalet]

@brentschmaltz FYI, I had to release a new OpenIddict version referencing 6.25.1 as I kept receiving similar reports.

Given that it's not the first time we see such issues in Wilson, you should strongly consider abandoning [InternalsVisibleTo] for your internal helpers or consider them public and avoid breaking changes in minor versions. Alternatively, you could embed your helpers in each assembly to eliminate this kind of problem (it's the approach used in OpenIddict and it's always been flawless).

[GonzaloLebron]

The problem is still happening to me, upgrading from
Microsoft.IdentityModel.Tokens 6.27.0 to the latest version.
The error I get (when debugging the library) is:
IDX10720: Unable to create KeyedHashAlgorithm for algorithm 'HS256', the key size must be greater than: '256' bits, key has '192' bits. (Parameter 'keyBytes')'
In Microsoft.IdentityModel.Tokens
Class: CryptoProviderFactory
Method ValidateKeySize(byte[] keyBytes, string algorithm, int expectedNumberOfBytes)

Clearly 24 characters and not 32 SecretKey is my issue
"JwtIssuerOptions": {
"SecretKey": "XXXXXXXXXXXXXXXXXXXXXXXX"
},

Even if
var signinKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtIssuerOptions.SecretKey));
var signInCredentials = new SigningCredentials(signinKey, SecurityAlgorithms.HmacSha256);

My question is, what this is not a breaking change ?
This is not related to missing method

[mbpoblet]

"Updating" System.IdentityModel.Tokens.Jwt to version 6.31.0 solved this for me.
(I put updating in quotes because it didn't show as installed, but when I installed it - following @brentschmaltz's suggestion of possibly mismatched versions - visual studio said it would update it - from version 6.15.0, if I recall correctly -, so I assume something must have had an older version as a dependency, which was causing the issue...)

[SeppPenner]

Following https://stackoverflow.com/questions/62198808/why-cant-i-create-a-jwt-token-with-sha256 (Although the issue is old and different), I'm now checking whether e.g. changing SecurityAlgorithms.HmacSha256 to SecurityAlgorithms.HmacSha256Signature has an impact.

[SeppPenner]

Following https://stackoverflow.com/questions/62198808/why-cant-i-create-a-jwt-token-with-sha256 (Although the issue is old and different), I'm now checking whether e.g. changing SecurityAlgorithms.HmacSha256 to SecurityAlgorithms.HmacSha256Signature has an impact.

Solved by this in my case... And make sure that your key is at least 256 bits (in UTF8: 32 characters) long...

[alecrodden]

Any update on this?

[VitaliyMF]

@alecrodden for IDX10720: Unable to create KeyedHashAlgorithm for algorithm 'HS256', the key size must be greater than: '256' bits I found a workaround that allows to use old (short) keys with a backward compatibility (JWTs generated before with these short keys correctly validated), see dotnet/aspnetcore#52369 (comment)

I've tried this https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/IDX10720 but this switch doesn't work for me, and it is unclear how it could work according to the source code of CryptoProviderFactory.

[SeppPenner]

Any update on this?

#2059 (comment) should work.

[brentschmaltz]

@SeppPenner @VitaliyMF @alecrodden the issue with key size and KeyedHashAlgorithm can be resolved with release 6.35.0

We will not address in 7.x as the change follows the spec.