Base solution for your next web application
Open Closed

IDX10503: Signature validation failed. Keys tried #6967

User avatar
0
BTTCorp created

Hi,

I'm trying to implement a custom API that should authenticate the user token through the main project (AspNetZero + IdentityServer4). Here is my scenario:

The user request an access_token to the AspNetZero:

curl -X POST \
  http://localhost:22742/api/TokenAuth/Authenticate \
  -H 'Abp.TenantId: 1' \
  -H 'Accept: application/json' \
  -H 'Authorization: Basic Y2xpZW50OmRlZjJlZGY3LTVkNDItNGVkYy1hODRhLTMwMTM2YzM0MGUxMw==' \
  -H 'Content-Type: application/json' \
  -H 'Postman-Token: 4ae44037-d9f6-4e39-ba38-6f6bcf709d63' \
  -H 'cache-control: no-cache' \
  -d '{
	"usernameOrEmailAddress": "admin",
	"password": "admin"
}'

And receive the token:

{
    "result": {
        "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyIiwibmFtZSI6ImFkbWluIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiI4N2ExZjY1Yi1hMzcwLTM5MDgtMjVlMi0zOWViOGM0Z
        TAwY2YiLCJyb2xlIjoiQWRtaW4iLCJodHRwOi8vd3d3LmFzcG5ldGJvaWxlcnBsYXRlLmNvbS9pZGVudGl0eS9jbGFpbXMvdGVuYW50SWQiOiIxIiwianRpIjoiZWU5ODZiNGItMWE4MC00NmQ4LTkxZjAtMjI1ZWVlZDkyZ
        mE3IiwiaWF0IjoxNTU3MjI5NzQ5LCJ0b2tlbl92YWxpZGl0eV9rZXkiOiJiMTBlYjQyNS0yMTgyLTRhYzMtYmNkOS0yOGMyOGEzOWUyZTYiLCJ1c2VyX2lkZW50aWZpZXIiOiIyQDEiLCJuYmYiOjE1NTcyMjk3NDksImV4cCI6MT
        U1NzMxNjE0OSwiaXNzIjoiUG9ydGFsIiwiYXVkIjoiUG9ydGFsIn0.fRIdw9z5ITgishY8PRg9XHs5e0yrnzZZ_s3Nul98tr8",
        "encryptedAccessToken": "wNYmO41/48SHNstaLVXxHCCre29BZQl1NhC6NM3R3rwZiL572M4gBaHf6sHsTGZfcntBdt0YdGxxOmZDW4iy5jqe38W4yYK8C/ZyrckjUp2HPGDmagvdis58EyNMpU3nSRtiAxQDeAI9GbjKTv
        JK8YVC74c0JREZ0QCsXHX2emQn3uNkO/VeFi83SknQb2JBZw3WAoXbZAnVA2bDQ7M5tiA+uqGj1xZcEAkqHOJoF2wiUZqLQtjB8p54MnQJ6EEdrmDqXBTzjz7MGRNMOPt3KU8bElGG/nVRkiA0s309BDbN+0elR5P7e0Gx/EEgEAMaLMORjg
bLvp5x1xbap5QmheyPVsYzD8qHkG0EMcHz2sUvdqEaf5EurGrgAsjN5FlDuTtNE+GBa5sXekwXbdj3lRSIvh0IGJxajpOPBKhQIt/SzQeS+mtSq82k4xrgK+quEnT1FL1EvHqlGFWKKku+oaiyqCvT3o2yIr5FPKd26daRbuuyM5YhE3mEkVmhqfHo8K
IWRzcg4I+55bBx5N3+hsqCif7+THNtxePu7z7e0kcAjSzLBooQJ+0AWubkvil4jrs9AfjsDDefWvnvlC4n7OwHdxBXheQxKwzn0wawkFIVV35rVo5SC5baNHI2hrzlN1n80lUNyKf7SrksdLtzo/U/EP1Ztw5ah1z34ezshlaqvJKc78pZwHGUGxNbq
JqcyGG7Ovqy/fLAtPmmZKHdEgy3uqQpYA9mPovMc1Me6AFnJc3yQJWfGYErIGLaJRV2i3kI
yfKsPe9eEw5YpMZM1KxPhhmK0UgMlFBzDMKnZuo=",
        "expireInSeconds": 86400,
        "shouldResetPassword": false,
        "passwordResetCode": null,
        "userId": 2,
        "requiresTwoFactorVerification": false,
        "twoFactorAuthProviders": null,
        "twoFactorRememberClientToken": null,
        "returnUrl": null
    },
    "targetUrl": null,
    "success": true,
    "error": null,
    "unAuthorizedRequest": false,
    "__abp": true
}

Once he received the token, he request the information to the custom API:

curl -X GET \
  https://localhost:5001/api/values -k -v \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyIiwibmFtZSI6ImFkbWluIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiI4N2ExZjY1Yi1hMzcwLTM5MDgtMjVlMi0zOW
  ViOGM0ZTAwY2YiLCJyb2xlIjoiQWRtaW4iLCJodHRwOi8vd3d3LmFzcG5ldGJvaWxlcnBsYXRlLmNvbS9pZGVudGl0eS9jbGFpbXMvdGVuYW50SWQiOiIxIiwianRpIjoiZWU5ODZiNGItMWE4MC00NmQ4LTkxZjAtM
  jI1ZWVlZDkyZmE3IiwiaWF0IjoxNTU3MjI5NzQ5LCJ0b2tlbl92YWxpZGl0eV9rZXkiOiJiMTBlYjQyNS0yMTgyLTRhYzMtYmNkOS0yOGMyOGEzOWUyZTYiLCJ1c2VyX2lkZW50aWZpZXIiOiIyQDEiLCJuYmYiOjE1NTcyMj
  k3NDksImV4cCI6MTU1NzMxNjE0OSwiaXNzIjoiUG9ydGFsIiwiYXVkIjoiUG9ydGFsIn0.fRIdw9z5ITgishY8PRg9XHs5e0yrnzZZ_s3Nul98tr8'

The Custom API should validate the token with the AspNetZero project:

services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(o =>
            {
                o.Authority = "http://localhost:22742";
                o.Audience = "default-api";
                o.RequireHttpsMetadata = false;
            });

But when I try to do it, I receive the following exception:

40minfo: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
      Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'.
Exceptions caught:
 '[PII is hidden]'.
token: '[PII is hidden]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Failed to validate the token.

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'.
Exceptions caught:
 '[PII is hidden]'.
token: '[PII is hidden]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'.
Exceptions caught:
 '[PII is hidden]'.
token: '[PII is hidden]'.
      Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'.
      Exceptions caught:
       '[PII is hidden]'.
      token: '[PII is hidden]'.

Here's the configuration from my AspNetZero project:

public static IEnumerable<ApiResource> GetApiResources()
      {
          return new List<ApiResource>
          {
              new ApiResource("default-api", "Default (all) API")
              {
                  Description = "AllFunctionalityYouHaveInTheApplication",
                  //ApiSecrets= {new Secret("secret") }
              }
          };
      }

"Clients": [
    {
      "ClientId": "client",
      "AllowedGrantTypes": [
        "hybrid",
        "password"
      ],
      "ClientSecrets": [
        {
          "Value": "def2edf7-5d42-4edc-a84a-30136c340e13"
        }
      ],
      "AllowedScopes": [
        "default-api",
        "openid",
        "profile"
      ],
      "RedirectUris": [
        "http://localhost:22742/signin-oidc"
      ],
      "PostLogoutRedirectUris": [
        "http://localhost:22742/signout-callback-oidc"
      ]
    }

It should be easy to do this, I have a different project doing the same. Any ideas about what could be wrong?

Thanks,

Go to accepted answer
4 Answer(s)
  • User Avatar
    0
    ryancyq created
    Support Team

    Hi, you will need to include Abp.TenantId for /api/values as well.

    See https://docs.aspnetzero.com/documents/aspnet-core-angular/latest/Features-Angular-Token-Based-Authentication#using-api

  • User Avatar
    0
    BTTCorp created

    Didn't worked.

  • User Avatar
    1
    maliming created
    Support Team

    @BTTCorp I think you should get the token from the token endpoint of the identity server instead of api/TokenAuth/Authenticate

  • User Avatar
    0
    BTTCorp created

    @maliming you're a genius! It worked! Thank you!!

Assignee
No one
Labels
Non yet