Issue validating JWT with .Net 5

pburrows

I have a .Net test client project that is trying to call a .Net API server. The client uses the FusionAuth API to login a user and get a JWT token back:

public static async Task<string> AuthenticateTestUser()
        {
            if (!string.IsNullOrEmpty(JwtToken))
            {
                return JwtToken;
            }

            var testApiKey =
                "DWCSwbQ-ZGVedjTw78Lvjwk9lx-Mr-6vYdzqS_RTYT8O-RNVr0_hBJfV"; // todo: use a more restricted API key
            var client = new FusionAuthClient(testApiKey, "http://localhost:9011");
            var accruedBenefitsAppId = Guid.Parse("bbfb892e-2a37-491e-8a4a-d87a12231c55");
            var response = await client.LoginAsync(new LoginRequest()
            {
                password = "**********",
                applicationId = accruedBenefitsAppId,
                loginId = "automated-test-user@site.com"
            });

            JwtToken = response.successResponse.token;
            return JwtToken;
        }

I then use that JwtToken to make an API request with HttpClient and add the authorization like this:

httpReq.Headers.Authorization = new AuthenticationHeaderValue("Bearer", JwtToken);

I've configured the API application in startup to use authentication like this:

services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.RequireHttpsMetadata = false; //todo: don't deploy this!
        options.Authority = configuration.GetValue<string>("AuthenticationSettings:Authority");
        options.Audience = configuration.GetValue<string>("AuthenticationSettings:ClientId");
        options.IncludeErrorDetails = true;
    });

The authority value is simply the URL of my local FusionAuth instance (http://localhost:9011/) and the Audience is the ID of the API application I made (some GUID).

Yet when I make the API request, I get a 401 response back and the value of the WWW-Authenticate header is: error="invalid_token", error_description="The signature key was not found" for Scheme Bearer.

I have verified that the user exists and that they have a registration for the app that I am trying to validate for. The JWT token comes back fine and I can read it in JWT.io.

When I look at the various logs in FusionAuth, I see that there is a login for that user.

Obviously I am missing some important step, but I'm not sure what. Does the API project need to prove its identity in some way before it can validate the JWT token? I don't see any examples or mention of that.

dan

@pburrows said in Issue validating JWT with .Net 5:

"The signature key was not found"

What signing method are you using? When I did this post I had to switch from HMAC to RSA for my signing key.

What library are you using to consume the JWT?

pburrows

Thanks for the reply @dan.
I had followed that blog post, and created the RSA based key, but then forgot to set it in the Application JWT settings! Ha!

That removed the The signature key was not found message. But I am still getting a 401 response. (but now with no message)

For libraries, I am just using Microsoft.AspNetCore.Authentication to consume the JWT. (see the .AddJwtBearer code above.

I am not using Open ID Connect like in that blog post, nor anything else beyond that (future users will need to get the JWT token a different way.)

pburrows

I found after some experimenting that the above code works on the second POST. The first request always fails with a 401, but the second request will pass.

Not sure why that is happening, but I am going to move on for now and assume it is not a FusionAuth issue.

dan

but I am going to move on for now and assume it is not a FusionAuth issue.

Great. Let us know if there turns out to be a FusionAuth issue.