.NET 9: `dotnet user-jwts` not working

[Zhiyuan-Amos]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I followed the MSDN and upon sending the HTTP Request with the Bearer token, the server returns 401. The WWW-Authenticate response header shows Bearer error="invalid_token", error_description="The signature key was not found".

Expected Behavior

Server returns 200.

Steps To Reproduce

Followed the exact steps in the MSDN

Exceptions (if any)

No response

.NET Version

9.0.100

Anything else?

RID: win-arm64
It used to work on .NET 8.

[oussamatecnique]

can you add more details please... like how the jwt token used in this call look like, and the appsettings.developement authentication details
such validissuer and the code of authentication injection.
this could be the issue the validIssuer used by the command line dotnet user-jwts, is not what your app expect.

[Zhiyuan-Amos]

I'm aware of these possible concerns as I understand these security concepts and I had it working on .NET 8. I have attached the code from following the instructions in the above documentation https://github.com/Zhiyuan-Amos/MyJWT for ease of repro: Just create the JWT using dotnet user-jwts create and send it to the /secret endpoint.

Edit: I downgraded my project to .NET 8 (also downgraded Microsoft.AspNetCore.Authentication.JwtBearer to 8.0.11), and using dotnet user-jwts create and send it to the /secret endpoint works.

[oussamatecnique]

you are right it's not working on dotnet9 I debugged deeply I found 2 issues:
1st issue:
in JwtBearerConfigureOptions

in dotnet9 the IssuersigningKeys is not loaded from secrets.json, because of a parameter called ValidIssuers.

the difference reside in this commit:
cc5bc6b

this can be fixed by adding this to your asppsettings:
"ValidIssuers": [
"dotnet-user-jwts"
]
2nd issue:
if you apply solution above the token validation throws a different error.
Authentication failed: IDX10517: Signature validation failed. The token's kid is missing. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,

I am not sure now jsonwebTokenValidator is checking also kid which is empty when you assign IssuerSigninKey by byte[]

[ig33kmor3]

+1 I also had to rollback to the latest version of 8.x.x to resolve this problem. Works fine on 8.x.x

[gepa21]

the problem is that with this change the issuer is not added to the issuers list and the GetIssuerSigningKeys() method only cares about the issuers list to search for signing keys

[Estyn]

If anyone else is looking for a quick and dirty work around, the following worked for me.

builder.Services.AddAuthentication("Bearer").AddJwtBearer(o =>
{
    o.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
         ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuers = [builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidIssuer").Get<string>()],
        ValidAudiences = builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidAudiences").Get<string[]>(),
         IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String(builder.Configuration.GetSection("Authentication:Schemes:Bearer:SigningKeys:0").GetValue<string>("Value")))
    };
});

[michielpost]

If anyone else is looking for a quick and dirty work around, the following worked for me.

builder.Services.AddAuthentication("Bearer").AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuers = [builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidIssuer").Get()],
ValidAudiences = builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidAudiences").Get<string[]>(),
IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String(builder.Configuration.GetSection("Authentication:Schemes:Bearer:SigningKeys:0").GetValue("Value")))
};
});

Thanks. I've also ran into this issue and this workaround solved it for me.