{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 时光不老,我们不散 的问题《UseJwtBearerAuthentication signing key》','https://www.manongdao.com/q-326160.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to implement the JWT Bearer Authentication in my AspNetCore MVC app (Web API only) using the JwtBearerMiddleware but am getting a 401 response with header:
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
The relevant code in Startup.cs looks like this:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "https://example.okta.com",
Audience = "myClientId"
});
With the Authority URL I'd expect the middleware to query my Identity Provider metadata from https://example.okta.com/.well-known/openid-configuration to get the jwks_uri to then get the signature keys from https://example.okta.com/oauth2/v1/keys. I don't think this is happening. What do I need to do to get it to find and use the signature keys? Thanks
After following references and digging into the AspNet Security repo (specifically the
JwtBearerHandlerandJwtBearerMiddlewareclasses), which led me to the Microsoft.IdentityModel namespace which is in an Azure Extensions repo (first theConfigurationManager<T>class, then to theOpenIdConnectConfigurationRetrieverclass (GetAsyncmethod), then to theJsonWebKeySet.GetSigningKeys()method), I finally discovered that the JwtBearerMiddleware does indeed get the keys from the jwks_uri in the metadata. Phew.So why wasn't it working? What I should've checked earlier is that the kid in the header of the Bearer JWT did not in fact match either of the kid's from the jwks_uri, hence it wasn't found. It was the access_code that I was sending as the bearer token. The id_token on the other hand does have a kid that matches, so using that instead it worked!
I've since read:
...so I can't use the access token.