tma
December 28, 2020, 5:45pm
1
I am having trouble authentication an asp.net MVC app (Framework 4.8).
The token is returned but somehow not authenticated - this is the full errormessage
DX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: ‘{“alg”:“HS512”,“typ”:“JWT”,“kid”:“ba913656-689d-457d-a466-d56119311451”}.{“exp”:1609177556,“iat”:1609177256,“auth_time”:1609176273,“jti”:“1840f400-2cf4-4167-a451-59887f0c959b”,“iss”:“https://auth.justbytes.io/auth/realms/test",“aud”:“account”,“sub”:“343b94bb-f994-4561-ad3b-9b9eff7e3513”,“typ”:“Bearer”,“azp”:“testapp”,“session_state”:“d3b486f8-da68-4c56-9680-71b8c44a0d14”,“acr”:“0”,“allowed-origins”:["*"],“realm_access”:{“roles”:[“TestAppAccess”,“offline_access”,“sg_SamlApp”,“uma_authorization”]},“resource_access”:{“account”:{“roles”:[“manage-account”,“manage-account-links”,“view-profile”]}},“scope”:"openid profile email”,“email_verified”:false,“name”:“Thomas Hansen”,“preferred_username”:“gnu”,“given_name”:“Thomas”,“family_name”:“Hansen”,“email”:“gnu@tbma.dk”}’.
Any help?
Kind regards
Thomas.
Are you sure that HS512
signing algorithm (used in your token) is supported by your app/code?
I would go with more common RS256
algorithm in your case. You can configure that one in the Realm settings -> Tokens -> Default Signature Algorithm
.
tma
December 28, 2020, 8:06pm
3
jangaraj:
RS25
Hello Jangaraj,
This is strange - it keeps outputting the HS256 no matter what i set in the “Default signature Algorithm”
I tried to create a new Realm and app - same response.
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: ‘{“alg”:“HS256”,“typ”:“JWT”,“kid”:“c99f0ae1-99e5-4fca-8e4b-8272027a6248”}.{“exp”:1609187549,“iat”:1609185749,“jti”:“717b2355-f1b8-4b7d-9eb8-8c24b84ba9ab”,“iss”:“https://auth.justbytes.io/auth/realms/test2",“aud”:“https://auth.justbytes.io/auth/realms/test2”,“sub”:“ce8e8b4d-1edc-4aab-b0c1-5b6ab0b2b674”,“typ”:“Refresh”,“azp”:“apptest”,“session_state”:“8e2ba602-899e-409e-90f4-d83d34806cc4”,“scope”:"openid email profile”}’.
I am using version 12.0.1 in Docker
I guess your are configuring that for master realm, but your app is using test realm. Make sure you are configuring right realm.
tma
December 28, 2020, 9:05pm
5
Sorry - but it looks right…
tma
December 28, 2020, 9:36pm
6
tma:
IDX10500
I found this
opened 03:12PM - 08 Aug 19 UTC
Hi,
Thank you for creating this library. I just cloned the sample ASP.Net 5 p… roject and tried to ran the app with my own keycloak server settings. For the first time I received an exception related to the "audience" validation, since I dont need that I just disabled that using the property "DisableAudienceValidation". Now I am getting another exception related to SecurityKeyIdentifier.
Could you please let me know what is missing?
The exception is as below.
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: '{"alg":"HS256","typ":"JWT","kid":"4718be89-a61c-4007-b355-6c85319c9c9f"}.{"jti":"8635361e-7825-40d9-94a4-faae4b3fe264","exp":1565278106,"nbf":0,"iat":1565276306,"iss":"http://localhost:8080/auth/realms/master","aud":"http://localhost:8080/auth/realms/master","sub":"dd09c01c-be26-48b6-9942-efc0b1abc3b6","typ":"Refresh","azp":"sampleclient","auth_time":0,"session_state":"a59830f0-9fd2-4bf4-ae74-7dda461aab0f","realm_access":{"roles":["offline_access","uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"openid email profile"}'.
That’s pretty bad if that is the case.
I would say no problem. Just select another OIDC certified library for your use case - https://openid.net/developers/certified/ . It really doesn’t need to have have “keycloak” in the name, because OIDC is not a Keycloak specific protocol.
tma
December 29, 2020, 2:29pm
8
We have a success - thanks you for your help in pointing me in the right direction Jangaraj
Hi tma,
I used the same library and facing the same issue that you were facing. I am very new to keycloak.
Now I have opted for “IdentityModel.OidcClient”.
It shall be great if you can share the startup.cs configuration code snippet for the same.
I am facing the similar issue.
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: '{"alg":"HS256","typ":"JWT","kid":"d4475260-88c4-4df9-82ca-b4f20000ec5a"}.{"exp":1645529349,"iat":1645527549,"jti":"716d29b1-0e51-42c7-ac1d-48b391a673fd","iss":"http://localhost:8080/realms/mirsal","aud":"http://localhost:8080/realms/mirsal","sub":"c0f5c079-f104-42ce-ad23-a6c727084c82","typ":"Refresh","azp":"booqchat","session_state":"efe6ddf1-2bee-48b0-884b-88e6ddd5978e","scope":"openid email profile","sid":"efe6ddf1-2bee-48b0-884b-88e6ddd5978e"}'.
kttary
March 16, 2022, 4:11pm
10
the same here… somebody has a solution pls?
I couldn’t find any help on the above, now I have achieved it using “OpenIdConnectAuthentication” in ASP.NET .
asaf
January 9, 2023, 11:48am
12
how did you resolve this?