Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Unknow reasons for Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys #2695

Closed
maomaomqiu opened this issue Jul 10, 2024 · 1 comment
Assignees
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer Good First Issue This is a good item for new team members P1 More important, prioritize highly
Milestone

Comments

@maomaomqiu
Copy link

Hi, team

We use WebAuth, but we found exception from Microsoft.identity.ServiceEssentials.Core.
This case is pretty rare. Also, we found other team encounter such exceptions. (In their cases, they also encounter such issue, and the probability also rare)

Once the little probability exception happened, it will bring catastrophic result.

Package reference chain:

WebAuth -> MISE -> SAL -> Wilson (Exception happened here)

Error Msg

Message: 'MISE12018: MiseHost (1.22.2.0): MISE12014: The request failed with exception: Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: (layer1)

Component: AuthenticationTicketProvider:1.22.2.0

CorrelationId:8225b67f-b9a6-44b9-aaa6-b7503f1a13aa

Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: MISE12034: AuthenticationTicketProvider (layer1)Name:AuthenticationTicketProvider, GetVersion:1.22.2.0.

---> System.AggregateException: S2S12096: Microsoft.IdentityModel.S2S.S2SAuthenticationManager caught exceptions when validating the token. See AuthenticationResult.InboundPolicyEvaluationResults for additional details. (S2S12086: An exception has been caught while validating the request applying the policy with id : 'c3a6fb3d-2f0a-4e6b-858a-406bbb4c6fdc'. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

Exceptions caught:

'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

token: 'PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context))

---> Microsoft.IdentityModel.S2S.S2SAuthenticationException: S2S12086: An exception has been caught while validating the request applying the policy with id : 'c3a6fb3d-2f0a-4e6b-858a-406bbb4c6fdc'. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

Exceptions caught:

'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

token: 'PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

---> Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

Exceptions caught:

'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

token: 'PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

--- End of inner exception stack trace ---

--- End of inner exception stack trace ---

--- End of inner exception stack trace ---

at Microsoft.Identity.ServiceEssentials.MiseHost`1.AuthenticateRequestAsync(TMiseContext context, CancellationToken cancellationToken)

at Microsoft.Identity.ServiceEssentials.MiseHost1.HandleAsync(TMiseContext context, IReadOnlyCollection1 modules, CancellationToken cancellationToken). (8225b67f-b9a6-44b9-aaa6-b7503f1a13aa). ' dict: {"source":"ms-assignment"}

Places that would produce such exceptions

image

Similar Issue in stackoverflow

https://stackoverflow.microsoft.com/questions/361215

This is not correct for our cases -

for our case, the tokens should be expected valid tokens. we didn't touch our auth logic, our app and only one VM, actually one agent failing

(we have many VM, share same token, but only 1 failed)

@pmaytak pmaytak added P1 More important, prioritize highly Customer reported Indicates issue was opened by customer Bug Product is not functioning as expected Good First Issue This is a good item for new team members labels Sep 3, 2024
@pmaytak
Copy link
Contributor

pmaytak commented Sep 3, 2024

Looks like the scenario is that the failure happens if at least one exception is thrown when processing a key:

This should be changed to an || comparison like in the JwtSecurityTokenHandler:

@keegan-caruso keegan-caruso added this to the 8.0.3 milestone Sep 5, 2024
@keegan-caruso keegan-caruso self-assigned this Sep 5, 2024
keegan-caruso pushed a commit that referenced this issue Sep 5, 2024
JsonWebTokenHandler would only return unwrapped keys if there was no errors.
This change is to align with the behavior in JwtSecurityTokenHandler, that is
it returns the keys that were able to be unwrapped, and only throw if no keys
were able to be unwrapped.

Relates to #2695
keegan-caruso added a commit that referenced this issue Sep 9, 2024
* Return unwrapped keys if able

JsonWebTokenHandler would only return unwrapped keys if there was no errors.
This change is to align with the behavior in JwtSecurityTokenHandler, that is
it returns the keys that were able to be unwrapped, and only throw if no keys
were able to be unwrapped.

Relates to #2695

* Apply same fix to ValidationParameter path

* Adjust DecryptToken to throw early if no keys as well as null keys

Add test case for no unwrapped keys

---------

Co-authored-by: Keegan Caruso <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Product is not functioning as expected Customer reported Indicates issue was opened by customer Good First Issue This is a good item for new team members P1 More important, prioritize highly
Projects
None yet
Development

No branches or pull requests

4 participants