in my .net core 2.2 microservice, I try to extract claims from a JWT token to do some authorization. authentication is done on another part of the system so I don't need to do it at this point.
I am using this code in the Startup.cs:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
var signingKey = Encoding.UTF8.GetBytes("SECRET_KEY");
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
IssuerSigningKey = new SymmetricSecurityKey(signingKey)
};
});
On the controller I have this code:
[Authorize]
[HttpPost]
public async Task<ActionResult<CreateResponse>> Create()
{
var userIdClaim = HttpContext.User.Claims.Where(x => x.Type == "empId").SingleOrDefault();
return Ok($"Your User ID is {userIdClaim.Value} and you can create invoices!");
}
I always get this error message and "Unauthorized" response:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'. Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'.
You can see the hidden details in development by adding the following to Configure() in the Startup class:
if (env.IsDevelopment())
{
IdentityModelEventSource.ShowPII = true;
}
Once you have the full message check the key being used is correct for the token.