IDX10625

What is the issue?

If you receive the following exception: `"IDX10625: Failed to verify authenticationTag, the actual tag length '36' does not match the expected tag length '32'. authenticationTag: 'XFBoMYUZodetZdvTiFvSkQCsdfawerwWqXez', algorithm: 'A256CBC-HS512'. See: https://aka.ms/IdentityModel/SkipAuthenticationTagLengthValidation".

This means that the authenticationTag has likely been altered.

The expected authenticationTag lengths can vary based on algorithm:

Supported Algorithms	Expected Auth Tag size
Aes128Gcm	16 bytes
Aes192Gcm	16 bytes
Aes256Gcm	16 bytes
Aes128CbcHmacSha256	16 bytes
Aes192CbcHmacSha384	24 bytes
Aes256CbcHmacSha512	36 bytes

Microsoft.IdentityModel 7.5.2 we have fixed this bug (Verify authentication tag length). This ensures you conform with the specification.

Remediation steps

If you receive this exception, this means that the authentication tag has been altered. Do not alter the authentication tag or append any characters to the end of a JWE.
If you really cannot act immediately, you can set a feature flag to bypass this security check. We encourage you, however, to not bypass this check. To set this feature flag, update your configuration file. For instance if your configuration is an appsettings.json file, use
```
<appSettings>
  <add key="AppContext.SetSwitch:Switch.Microsoft.IdentityModel.SkipAuthenticationTagLengthValidation" value="true" />
</appSettings>
```

See this article AppContext for library consumers for all the ways you can enable this switch in your application.

Overview

Conceptual Documentation

Common Exceptions

Frequently Asked Questions

Known Issues and Workarounds

IdentityModel 7x

IdentityModel 7x.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IDX10625

IDX10625

What is the issue?

Remediation steps

Clone this wiki locally