IDX10500 : Getting Signature validation failed for keycloak integration with ASP.NET MVC 5 Application

Securing applications
,
1

I am using the ASP.NET MVC 5 (4.5 or 4.8 version) application with Keycloak. I can see my login in Keycloak but it also gives an error. Please explain the error and the solution for the error. Any link to understand more about Keycloak would help.

Here is my startup.cs class:

[assembly: OwinStartup(typeof(keycloakapp1.Startup))]
namespace keycloakapp1
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
                // Name of the persistent authentication middleware for lookup
                const string persistentAuthType = "keycloak_cookies";

                // --- Cookie Authentication Middleware - Persists user sessions between requests
                var result = app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationType = persistentAuthType
                });
                app.SetDefaultSignInAsAuthenticationType(persistentAuthType); // Cookie is primary session store

                // --- Keycloak Authentication Middleware - Connects to central Keycloak database
                var result1 = app.UseKeycloakAuthentication(new KeycloakAuthenticationOptions
                {
                    // App-Specific Settings
                    ClientId = "myclient", // *Required*
                    ClientSecret = "gxgRB2Z9BDIbxTOPw8mkeBFBUCp7wCOZ", // If using public authentication, delete this line
                    VirtualDirectory = "", // Set this if you use a virtual directory when deploying to IIS

                    // Instance-Specific Settings
                    Realm = "myrealm", // Don't change this unless told to do so
                    KeycloakUrl = "http://localhost:8080", // Enter your Keycloak URL here

                    // Template-Specific Settings
                    SignInAsAuthenticationType = persistentAuthType, // Sets the above cookie with the Keycloak data
                    AuthenticationType = "keycloakapp1", // Unique identifier for the auth middleware
                    DisableAudienceValidation = true,
                    AllowUnsignedTokens = true,
                });       
        }
    }
}

Getting IDX10500 error

IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause )
',
token: '{"alg":"HS256","typ":"JWT","kid":"f7b7d7a5-4c05-4278-b9e0-e496fc96cba7"}.
{"exp":1706119094,"iat":1706117294,"jti":"8ff74d97-8622-4e34-b715-d322a1c9f881","iss":"http://localhost:8080/realms/myrealm","aud":"http://localhost:8080/realms/myrealm","sub":"b656aadd-39cf-4f05-b3aa-7133bd8275d9","typ":"Refresh","azp":"myclient","session_state":"31947692-5bce-411d-93c2-5e20770710b8","scope":"openid profile email","sid":"31947692-5bce-411d-93c2-5e20770710b8"}'.
2

In the key header of the token, you have "alg":"HS256" which indicates the JWT is singed symmetrically. Without storing the symmetric key in your ASP-App, signature checking will not work.

Try to setup your Keycloak to use asym RSA signing ("alg":"RS256") which should default as far as I know. So ASP can download the corresponding public key from keycloak’s jwks_uri (https://…/certs) and verify the signature.

3

You are trying to verify the signature of the refresh token. This is not required nor needed.
The client just needs to keep the refresh token and use it in case the access token is expired and needs to be refreshed. Clients only need to verify access and id tokens, not refresh tokens, there’s no reason for it.

4

Hii @dasniko, Can you please explain a little more about which part it is validating on refresh token .

5

This is the refresh token ("typ": "Refresh"), it has an HMAC based signature (shared-secret), which you can’t verify outside of Keycloak.

I don’t know why your library wants to verify the refresh token, there’s no reason for this to do. And I don’t know how to stop your library from doing this, as I don’t know .NET ecosystem.

6

For classical ASP.NET MVC you could try using Microsoft.Owin.Security.OpenIdConnect. As .NET ships with everything you need for OIDC, there’s no need to use a third-party Keycloak-specific library (I assume you are using this one, which is outdated an no longer maintained…).

7

Hii @mbonn , I was trying with open id connect .Below is the attached code snippet. I am getting 404 error.

     JwtSecurityTokenHandler.DefaultInboundClaimTypeMap =
   new Dictionary<string, string>();
     // before v5.0 was: JwtSecurityTokenHandler.InboundClaimTypeMap

     app.UseCookieAuthentication(new CookieAuthenticationOptions
     {
         AuthenticationType = "Cookies"
     });

     app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
     {
         ClientId = "myclient",
         Authority = "http://localhost:8080/",
         RedirectUri = "http://localhost:56021/",
         ResponseType = "id_token",
         Scope = "openid email",
         UseTokenLifetime = false,
         SignInAsAuthenticationType = "Cookies",
         RequireHttpsMetadata = false
     });

Error : Response status code does not indicate success: 404 (Not Found).

8

As authority, take the issuer of your Keycloak:
http://localhost:8080/auth/realms/MYREALM or http://localhost:8080/realms/MYREALM (depending on your Keycloak setup.)
By default, Keycloak has disabled implicit flow, so maybe you should change the ResponseType to “code”.

9

Thanks , it is working