Manually validating a JWT token in C#











up vote
3
down vote

favorite
1












I am having some trouble manually validating a JWT token issued by Identity Server 4. Using the



ClientId: "CLIENT1"
ClientSecret: "123456"



The exception I keep getting is: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'



Is anyone able to advise me where I am going wrong.



    private static void ValidateJwt(string jwt, DiscoveryResponse disco)
{

var parameters = new TokenValidationParameters
{

ValidateIssuerSigningKey = true,
ValidIssuer = disco.Issuer,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("123456")),
ValidAudience = "CLIENT1",
//IssuerSigningKeys = keys,
// ValidateAudience = true,
// ValidateLifetime = true,
};

SecurityToken validatedToken;
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();

try
{
var user = handler.ValidateToken(jwt, parameters, out validatedToken);
}
catch(Exception ex)
{
var error = ex.Message;
}

}









share|improve this question
























  • Encoding.UTF8.GetBytes( can't be the right way to do this.
    – Henk Holterman
    Feb 16 at 9:49

















up vote
3
down vote

favorite
1












I am having some trouble manually validating a JWT token issued by Identity Server 4. Using the



ClientId: "CLIENT1"
ClientSecret: "123456"



The exception I keep getting is: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'



Is anyone able to advise me where I am going wrong.



    private static void ValidateJwt(string jwt, DiscoveryResponse disco)
{

var parameters = new TokenValidationParameters
{

ValidateIssuerSigningKey = true,
ValidIssuer = disco.Issuer,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("123456")),
ValidAudience = "CLIENT1",
//IssuerSigningKeys = keys,
// ValidateAudience = true,
// ValidateLifetime = true,
};

SecurityToken validatedToken;
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();

try
{
var user = handler.ValidateToken(jwt, parameters, out validatedToken);
}
catch(Exception ex)
{
var error = ex.Message;
}

}









share|improve this question
























  • Encoding.UTF8.GetBytes( can't be the right way to do this.
    – Henk Holterman
    Feb 16 at 9:49















up vote
3
down vote

favorite
1









up vote
3
down vote

favorite
1






1





I am having some trouble manually validating a JWT token issued by Identity Server 4. Using the



ClientId: "CLIENT1"
ClientSecret: "123456"



The exception I keep getting is: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'



Is anyone able to advise me where I am going wrong.



    private static void ValidateJwt(string jwt, DiscoveryResponse disco)
{

var parameters = new TokenValidationParameters
{

ValidateIssuerSigningKey = true,
ValidIssuer = disco.Issuer,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("123456")),
ValidAudience = "CLIENT1",
//IssuerSigningKeys = keys,
// ValidateAudience = true,
// ValidateLifetime = true,
};

SecurityToken validatedToken;
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();

try
{
var user = handler.ValidateToken(jwt, parameters, out validatedToken);
}
catch(Exception ex)
{
var error = ex.Message;
}

}









share|improve this question















I am having some trouble manually validating a JWT token issued by Identity Server 4. Using the



ClientId: "CLIENT1"
ClientSecret: "123456"



The exception I keep getting is: IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'



Is anyone able to advise me where I am going wrong.



    private static void ValidateJwt(string jwt, DiscoveryResponse disco)
{

var parameters = new TokenValidationParameters
{

ValidateIssuerSigningKey = true,
ValidIssuer = disco.Issuer,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("123456")),
ValidAudience = "CLIENT1",
//IssuerSigningKeys = keys,
// ValidateAudience = true,
// ValidateLifetime = true,
};

SecurityToken validatedToken;
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();

try
{
var user = handler.ValidateToken(jwt, parameters, out validatedToken);
}
catch(Exception ex)
{
var error = ex.Message;
}

}






c# jwt identityserver4






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 19 at 8:40

























asked Feb 16 at 8:35









MarzSocks

2,60211427




2,60211427












  • Encoding.UTF8.GetBytes( can't be the right way to do this.
    – Henk Holterman
    Feb 16 at 9:49




















  • Encoding.UTF8.GetBytes( can't be the right way to do this.
    – Henk Holterman
    Feb 16 at 9:49


















Encoding.UTF8.GetBytes( can't be the right way to do this.
– Henk Holterman
Feb 16 at 9:49






Encoding.UTF8.GetBytes( can't be the right way to do this.
– Henk Holterman
Feb 16 at 9:49














4 Answers
4






active

oldest

votes

















up vote
4
down vote



accepted










Check out ValidateJwt() in this sample:



https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Clients/src/MvcManual/Controllers/HomeController.cs



The bit you're missing is loading the public key from the discovery document.






share|improve this answer























  • Its all about the public key.. not private a key. Thanks
    – MarzSocks
    Feb 16 at 12:16










  • I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
    – MarzSocks
    Feb 16 at 13:19












  • Are you using a signing cert that's generated at runtime maybe?
    – mackie
    Feb 16 at 16:50










  • Turns out that it was the load balancer.
    – MarzSocks
    Feb 19 at 8:39






  • 1




    @PhillipScottGivens Link updated, they must have deleted the branch.
    – mackie
    yesterday


















up vote
1
down vote













IdentityServer signs the JWT using RS256. This means you need to use a public key to verify the JWT (you can get this from the discovery document).



The client id & client secret are client credentials used for requesting tokens. They have no part in validating them.






share|improve this answer




























    up vote
    1
    down vote













    You are trying to use SymmetricKey for JWT validation. Try looking your token in JWT.io and if algorithm is"RS256" then SymmetricKey won't work.






    share|improve this answer




























      up vote
      0
      down vote













      You have specified:



      IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"))


      but the JwtSecurityTokenHandler could not match it with the key which can be part of jwt header itself. Basically it means that your configuration has mismatch[es] with configuration of the real issuer. The error suggests that this relates to the signature keys.



      Please, check the configuration of that issuer (if you can), find out missed parts, and try again.



      You can use jwt.io to debug your jwt online.






      share|improve this answer





















        Your Answer






        StackExchange.ifUsing("editor", function () {
        StackExchange.using("externalEditor", function () {
        StackExchange.using("snippets", function () {
        StackExchange.snippets.init();
        });
        });
        }, "code-snippets");

        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "1"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














         

        draft saved


        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48822860%2fmanually-validating-a-jwt-token-in-c-sharp%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        4
        down vote



        accepted










        Check out ValidateJwt() in this sample:



        https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Clients/src/MvcManual/Controllers/HomeController.cs



        The bit you're missing is loading the public key from the discovery document.






        share|improve this answer























        • Its all about the public key.. not private a key. Thanks
          – MarzSocks
          Feb 16 at 12:16










        • I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
          – MarzSocks
          Feb 16 at 13:19












        • Are you using a signing cert that's generated at runtime maybe?
          – mackie
          Feb 16 at 16:50










        • Turns out that it was the load balancer.
          – MarzSocks
          Feb 19 at 8:39






        • 1




          @PhillipScottGivens Link updated, they must have deleted the branch.
          – mackie
          yesterday















        up vote
        4
        down vote



        accepted










        Check out ValidateJwt() in this sample:



        https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Clients/src/MvcManual/Controllers/HomeController.cs



        The bit you're missing is loading the public key from the discovery document.






        share|improve this answer























        • Its all about the public key.. not private a key. Thanks
          – MarzSocks
          Feb 16 at 12:16










        • I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
          – MarzSocks
          Feb 16 at 13:19












        • Are you using a signing cert that's generated at runtime maybe?
          – mackie
          Feb 16 at 16:50










        • Turns out that it was the load balancer.
          – MarzSocks
          Feb 19 at 8:39






        • 1




          @PhillipScottGivens Link updated, they must have deleted the branch.
          – mackie
          yesterday













        up vote
        4
        down vote



        accepted







        up vote
        4
        down vote



        accepted






        Check out ValidateJwt() in this sample:



        https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Clients/src/MvcManual/Controllers/HomeController.cs



        The bit you're missing is loading the public key from the discovery document.






        share|improve this answer














        Check out ValidateJwt() in this sample:



        https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Clients/src/MvcManual/Controllers/HomeController.cs



        The bit you're missing is loading the public key from the discovery document.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited yesterday

























        answered Feb 16 at 10:39









        mackie

        1,7251110




        1,7251110












        • Its all about the public key.. not private a key. Thanks
          – MarzSocks
          Feb 16 at 12:16










        • I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
          – MarzSocks
          Feb 16 at 13:19












        • Are you using a signing cert that's generated at runtime maybe?
          – mackie
          Feb 16 at 16:50










        • Turns out that it was the load balancer.
          – MarzSocks
          Feb 19 at 8:39






        • 1




          @PhillipScottGivens Link updated, they must have deleted the branch.
          – mackie
          yesterday


















        • Its all about the public key.. not private a key. Thanks
          – MarzSocks
          Feb 16 at 12:16










        • I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
          – MarzSocks
          Feb 16 at 13:19












        • Are you using a signing cert that's generated at runtime maybe?
          – mackie
          Feb 16 at 16:50










        • Turns out that it was the load balancer.
          – MarzSocks
          Feb 19 at 8:39






        • 1




          @PhillipScottGivens Link updated, they must have deleted the branch.
          – mackie
          yesterday
















        Its all about the public key.. not private a key. Thanks
        – MarzSocks
        Feb 16 at 12:16




        Its all about the public key.. not private a key. Thanks
        – MarzSocks
        Feb 16 at 12:16












        I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
        – MarzSocks
        Feb 16 at 13:19






        I find I intermittently get this error, any reason why? Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]', token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.'
        – MarzSocks
        Feb 16 at 13:19














        Are you using a signing cert that's generated at runtime maybe?
        – mackie
        Feb 16 at 16:50




        Are you using a signing cert that's generated at runtime maybe?
        – mackie
        Feb 16 at 16:50












        Turns out that it was the load balancer.
        – MarzSocks
        Feb 19 at 8:39




        Turns out that it was the load balancer.
        – MarzSocks
        Feb 19 at 8:39




        1




        1




        @PhillipScottGivens Link updated, they must have deleted the branch.
        – mackie
        yesterday




        @PhillipScottGivens Link updated, they must have deleted the branch.
        – mackie
        yesterday












        up vote
        1
        down vote













        IdentityServer signs the JWT using RS256. This means you need to use a public key to verify the JWT (you can get this from the discovery document).



        The client id & client secret are client credentials used for requesting tokens. They have no part in validating them.






        share|improve this answer

























          up vote
          1
          down vote













          IdentityServer signs the JWT using RS256. This means you need to use a public key to verify the JWT (you can get this from the discovery document).



          The client id & client secret are client credentials used for requesting tokens. They have no part in validating them.






          share|improve this answer























            up vote
            1
            down vote










            up vote
            1
            down vote









            IdentityServer signs the JWT using RS256. This means you need to use a public key to verify the JWT (you can get this from the discovery document).



            The client id & client secret are client credentials used for requesting tokens. They have no part in validating them.






            share|improve this answer












            IdentityServer signs the JWT using RS256. This means you need to use a public key to verify the JWT (you can get this from the discovery document).



            The client id & client secret are client credentials used for requesting tokens. They have no part in validating them.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 16 at 9:52









            Scott Brady

            3,8011227




            3,8011227






















                up vote
                1
                down vote













                You are trying to use SymmetricKey for JWT validation. Try looking your token in JWT.io and if algorithm is"RS256" then SymmetricKey won't work.






                share|improve this answer

























                  up vote
                  1
                  down vote













                  You are trying to use SymmetricKey for JWT validation. Try looking your token in JWT.io and if algorithm is"RS256" then SymmetricKey won't work.






                  share|improve this answer























                    up vote
                    1
                    down vote










                    up vote
                    1
                    down vote









                    You are trying to use SymmetricKey for JWT validation. Try looking your token in JWT.io and if algorithm is"RS256" then SymmetricKey won't work.






                    share|improve this answer












                    You are trying to use SymmetricKey for JWT validation. Try looking your token in JWT.io and if algorithm is"RS256" then SymmetricKey won't work.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Feb 17 at 20:51









                    akhileshcoer

                    1158




                    1158






















                        up vote
                        0
                        down vote













                        You have specified:



                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"))


                        but the JwtSecurityTokenHandler could not match it with the key which can be part of jwt header itself. Basically it means that your configuration has mismatch[es] with configuration of the real issuer. The error suggests that this relates to the signature keys.



                        Please, check the configuration of that issuer (if you can), find out missed parts, and try again.



                        You can use jwt.io to debug your jwt online.






                        share|improve this answer

























                          up vote
                          0
                          down vote













                          You have specified:



                          IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"))


                          but the JwtSecurityTokenHandler could not match it with the key which can be part of jwt header itself. Basically it means that your configuration has mismatch[es] with configuration of the real issuer. The error suggests that this relates to the signature keys.



                          Please, check the configuration of that issuer (if you can), find out missed parts, and try again.



                          You can use jwt.io to debug your jwt online.






                          share|improve this answer























                            up vote
                            0
                            down vote










                            up vote
                            0
                            down vote









                            You have specified:



                            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"))


                            but the JwtSecurityTokenHandler could not match it with the key which can be part of jwt header itself. Basically it means that your configuration has mismatch[es] with configuration of the real issuer. The error suggests that this relates to the signature keys.



                            Please, check the configuration of that issuer (if you can), find out missed parts, and try again.



                            You can use jwt.io to debug your jwt online.






                            share|improve this answer












                            You have specified:



                            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret"))


                            but the JwtSecurityTokenHandler could not match it with the key which can be part of jwt header itself. Basically it means that your configuration has mismatch[es] with configuration of the real issuer. The error suggests that this relates to the signature keys.



                            Please, check the configuration of that issuer (if you can), find out missed parts, and try again.



                            You can use jwt.io to debug your jwt online.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Feb 16 at 9:12









                            stukselbax

                            4,19822545




                            4,19822545






























                                 

                                draft saved


                                draft discarded



















































                                 


                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f48822860%2fmanually-validating-a-jwt-token-in-c-sharp%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                404 Error Contact Form 7 ajax form submitting

                                How to know if a Active Directory user can login interactively

                                Refactoring coordinates for Minecraft Pi buildings written in Python