Skip to content

IDX10720

Jump to bottom
kellyyangsong edited this page Apr 30, 2024 · 12 revisions

IDX10720

What is the issue?

If you receive the following exception such as: `"IDX10720: Unable to create KeyedHashAlgorithm for algorithm 'SHA256', the key size must be greater than: '256' bits, key has '128' bits. See https://aka.ms/IdentityModel/UnsafeRelaxHmacKeySizeValidation".

This means that you have specified to use HMAC256 as a crypto algorithm, but you have provided a key for this algorithm that is shorter than required. This means that you are less secure than you think!

The numbers and name of the algorithm can vary (HS256 requires 256 bits, HS384 requires 384 bits, HS512 requires 512 bits.). See: https://datatracker.ietf.org/doc/html/rfc7518#section-3.2 for details.

Microsoft.IdentityModel 6.30.1 we have fixed this security issue (Enforce key sizes when creating HMAC) to ensure security is at the desired level. This ensures you conform with the specification.

How to remediate?

  • If you receive this exception the best practice is to increase the size of your key with the suggested number of bits.

  • If you really cannot act immediately, you can set a feature flag to bypass this security check. We encourage you, however, to address the root cause as soon as possible. To set this feature flag, update your configuration file. For instance if your configuration is an appsettings.json file, use

    <appSettings>
  <add key="AppContext.SetSwitch:Switch.Microsoft.IdentityModel.UnsafeRelaxHmacKeySizeValidation" value="true" />
</appSettings>

See this article AppContext for library consumers for all the ways you can enable this switch in your application.

Overview

Conceptual Documentation
Common Exceptions
Frequently Asked Questions
Known Issues and Workarounds
IdentityModel 7x
Clone this wiki locally