'Every other request JWT validation fails with 'idx10503 signature validation failed. token does not have a kid'
So this whole JWT signing and validation is quite new to me. I now have an C# application which is requesting some information via an API secured with JWT. Weird thing is that every other request fails. So the first request works like a charm. I'm getting the info and responses I expect. JWT validation is successful.
The next request i do after it (starting the whole process form start. inclusive getting a new accesstoken since the refreshtoken is not supported) I get an 'idx10503 signature validation failed. token does not have a kid'. I can't get my head around it. The JWT.io debugger says the signature is valid.
If after the failed validation I do a new request (again starting the whole process) the JWT is valid.
So, to make it clear, it looks like this:
- Request 1, JWT validation success.
- Request 2, JWT validation fail.
- Request 3, JWT validation success.
- Request 4, JWT validation fail.
- etc.
The part where I validate my JWT and get the error is below:
try
{
var keyBytes = Convert.FromBase64String(publicKey);
AsymmetricKeyParameter asymmetricKeyParameter = PublicKeyFactory.CreateKey(keyBytes);
RsaKeyParameters rsaKeyParameters = (RsaKeyParameters)asymmetricKeyParameter;
RSAParameters rsaParameters = new RSAParameters
{
Modulus = rsaKeyParameters.Modulus.ToByteArrayUnsigned(),
Exponent = rsaKeyParameters.Exponent.ToByteArrayUnsigned()
};
using (var rsa = new RSACryptoServiceProvider())
{
rsa.ImportParameters(rsaParameters);
var validationParameters = new TokenValidationParameters()
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateAudience = false,
ValidateIssuer = false,
IssuerSigningKey = new RsaSecurityKey(rsa)
};
var handler = new JwtSecurityTokenHandler();
handler.ValidateToken(jwtToken, validationParameters, out var validatedToken);
}
return validatedToken;
}
catch (Exception e)
{
throw e;
}
I have already tried to see if it makes a difference if I put the RSAParameters in the cache and use those same parameters in the next request. Unfortunatly that makes it worse in my case because all the next JWT validations fail.
Does anyone have an idea what might go wrong?
Solution 1:[1]
Fixed my issue finally by adding some parameters to the validationParameters;
TryAllIssuerSigningKeys = true,
IssuerSigningKey = new RsaSecurityKey(rsa),
IssuerSigningKeys = new List<SecurityKey>() { new RsaSecurityKey(rsa) }
Solution 2:[2]
For anyone else who has this issue, it was because I had installed the latest Microsoft.Data.Sqlclient from Nuget which also installed dependencies for older versions of System.Identity.Model. I uninstalled the Microsoft.Data.Sqlclient Nuget package and it started working again.
The lesson here is to always read what Nuget is telling you about what it's doing when installing packages!
Solution 3:[3]
I solved my problem which was the same error message as the OP had. It turns out I was using the wrong certificate. The error message is extremely misleading. If the "kid" field is non-existent and you're using the wrong cert, you'll get that incorrect IDX10503 error. I looked at the .net source code and it uses the x5t field if the kid field is missing. Also, I didn't implement OP's fix but it still worked.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Willem |
| Solution 2 | batface |
| Solution 3 | Jason Cheng |