ASP.NET,C# Error - DX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier

I am having trouble authentication an asp.net MVC app (Framework 4.8).
The token is returned but somehow not authenticated - this is the full errormessage

DX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: ‘{“alg”:“HS512”,“typ”:“JWT”,“kid”:“ba913656-689d-457d-a466-d56119311451”}.{“exp”:1609177556,“iat”:1609177256,“auth_time”:1609176273,“jti”:“1840f400-2cf4-4167-a451-59887f0c959b”,“iss”:“https://auth.justbytes.io/auth/realms/test",“aud”:“account”,“sub”:“343b94bb-f994-4561-ad3b-9b9eff7e3513”,“typ”:“Bearer”,“azp”:“testapp”,“session_state”:“d3b486f8-da68-4c56-9680-71b8c44a0d14”,“acr”:“0”,“allowed-origins”:["*"],“realm_access”:{“roles”:[“TestAppAccess”,“offline_access”,“sg_SamlApp”,“uma_authorization”]},“resource_access”:{“account”:{“roles”:[“manage-account”,“manage-account-links”,“view-profile”]}},“scope”:"openid profile email”,“email_verified”:false,“name”:“Thomas Hansen”,“preferred_username”:“gnu”,“given_name”:“Thomas”,“family_name”:“Hansen”,“email”:“gnu@tbma.dk”}’.

Any help?

Kind regards
Thomas.

Are you sure that HS512 signing algorithm (used in your token) is supported by your app/code?

I would go with more common RS256 algorithm in your case. You can configure that one in the Realm settings -> Tokens -> Default Signature Algorithm.

Hello Jangaraj,
This is strange - it keeps outputting the HS256 no matter what i set in the “Default signature Algorithm”
I tried to create a new Realm and app - same response.

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: ‘{“alg”:“HS256”,“typ”:“JWT”,“kid”:“c99f0ae1-99e5-4fca-8e4b-8272027a6248”}.{“exp”:1609187549,“iat”:1609185749,“jti”:“717b2355-f1b8-4b7d-9eb8-8c24b84ba9ab”,“iss”:“https://auth.justbytes.io/auth/realms/test2",“aud”:“https://auth.justbytes.io/auth/realms/test2”,“sub”:“ce8e8b4d-1edc-4aab-b0c1-5b6ab0b2b674”,“typ”:“Refresh”,“azp”:“apptest”,“session_state”:“8e2ba602-899e-409e-90f4-d83d34806cc4”,“scope”:"openid email profile”}’.

I am using version 12.0.1 in Docker

I guess your are configuring that for master realm, but your app is using test realm. Make sure you are configuring right realm.

Sorry - but it looks right…
image

I found this

That’s pretty bad if that is the case.

I would say no problem. Just select another OIDC certified library for your use case - https://openid.net/developers/certified/ . It really doesn’t need to have have “keycloak” in the name, because OIDC is not a Keycloak specific protocol.

We have a success - thanks you for your help in pointing me in the right direction Jangaraj :slight_smile:image

Hi tma,
I used the same library and facing the same issue that you were facing. I am very new to keycloak.
Now I have opted for “IdentityModel.OidcClient”.

It shall be great if you can share the startup.cs configuration code snippet for the same.

I am facing the similar issue.

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
   (
   IsReadOnly = False,
   Count = 1,
   Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
   )
',
token: '{"alg":"HS256","typ":"JWT","kid":"d4475260-88c4-4df9-82ca-b4f20000ec5a"}.{"exp":1645529349,"iat":1645527549,"jti":"716d29b1-0e51-42c7-ac1d-48b391a673fd","iss":"http://localhost:8080/realms/mirsal","aud":"http://localhost:8080/realms/mirsal","sub":"c0f5c079-f104-42ce-ad23-a6c727084c82","typ":"Refresh","azp":"booqchat","session_state":"efe6ddf1-2bee-48b0-884b-88e6ddd5978e","scope":"openid email profile","sid":"efe6ddf1-2bee-48b0-884b-88e6ddd5978e"}'.

the same here… somebody has a solution pls?

I couldn’t find any help on the above, now I have achieved it using “OpenIdConnectAuthentication” in ASP.NET.