Bearer was not authenticated: Signature validation failed
I am using Identity Server 4 to protect my APIs (Implicit Flow Mode) which are accessed by angular application. Every thing is working fine, however at specific period the access token suddenly became invalid even before its expiry.
Configuration:
Here is the Identity Server Startup file:
var identityBuilder = services.AddIdentityServer().AddInMemoryStores().SetTemporarySigningCredential();
identityBuilder.AddInMemoryScopes(identitySrvConfig.GetScopes());
identityBuilder.AddInMemoryClients(identitySrvConfig.GetClients());
Protecting the APIs:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = identityOptions.Authority,
ScopeName = "userProfile_api",
RequireHttpsMetadata = false
});
Investigation:
The issue was the bearer was not authenticated
Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match 'kid': 'e4f3534e5afd70ba74c245fe2e39c724', token
After some investigation, it appears that identity server is generating a new key which was causing the signature validation to fail.
In the log, I can see when the two warning events at end happening, then I see "Repository contains no viable default key" and "a new key should be added to the ring"
Questions
Why would there no be a key at anytime when the key lifetime is almost 3 months even I am using temporary signing (SetTemporarySigningCredential) and I am not restarting the server?
Creating key {a2fffa4a-345b-4f3b-bae7-454d567a1aee} with creation date 2017-03-03 19:15:28Z, activation date 2017-03-03 19:15:28Z, and expiration date 2017-06-01 19:15:28Z.
How can I solve this issue?
Creating a self signing certificate and removing the temporary signing on identity server fixed the issue.
var signingCertificate = new X509Certificate2("ReplaceByCertificatePath, "ReplaceByPasswordCertificate");
var identityBuilder = services.AddIdentityServer().AddInMemoryStores().SetSigningCredential(signingCertificate);
identityBuilder.AddInMemoryScopes(IdentitySrvConfig.GetScopes());
identityBuilder.AddInMemoryClients(IdentitySrvConfig.GetClients());
- Auth0 React SPA incorrect access token for API
- Laravel API response Unauthenticated even when Authentication is passed
- io.jsonwebtoken.UnsupportedJwtException: Signed Claims JWSs are not supported
- Any way to generate Supabase ANON_KEY and JWT_SECRET locally?
- Keycloak authorization on behalf of another user
- Migrating from validate-jwt to validate-azure-ad-token policy
- Where to save a JWT in a browser-based application and how to use it
- Json Web Token verify() return jwt malformed
- JWT validation failure error in azure apim
- How to convert spring boot app with Okta to read okta groups
- Google Cloud Functions - ImportError: cannot import name 'InvalidKeyError' from 'jwt.exceptions'
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- NestJS JWT Strategy requires a secret or key
- How to create a Json Web Token (JWT) using OpenSSL shell commands?
- Is it safe to keep access token in NextAuth session?
- Verifying JWT signed with the RS256 algorithm using public key in C#
- JWT generate token with algorithm ES256
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- MSAL AcquireSilent gets always new token
- In Identity Server 4, I have a User's identity but 0 Claims
- I'm trying to create a Pydantic extension that allows me to deserialize jwt strings into pydantic models
- Is setting Roles in JWT a best practice?
- Get email claim from identity after upgrading to .NET 8 not working
- How to decode jwt token in POSTMAN?
- Firebase "getIdToken(true)" in Java Backend
- AWS cognito: What's the difference between Access and Identity tokens?
- Receiving attempted import error for JWT in Next.js
- How do I solve audience (aud) invalid claim error for downstream api service?
- Header sent error express.js with cookie-parser
- [NestJs]: JwtModule.register() not working