I found after some experimenting that the above code works on the second POST. The first request always fails with a 401, but the second request will pass.
Not sure why that is happening, but I am going to move on for now and assume it is not a FusionAuth issue.
I found after some experimenting that the above code works on the second POST. The first request always fails with a 401, but the second request will pass.
Not sure why that is happening, but I am going to move on for now and assume it is not a FusionAuth issue.
Thanks for the reply @dan.
I had followed that blog post, and created the RSA based key, but then forgot to set it in the Application JWT settings! Ha!
That removed the The signature key was not found message. But I am still getting a 401 response. (but now with no message)
For libraries, I am just using Microsoft.AspNetCore.Authentication to consume the JWT. (see the .AddJwtBearer code above.
I am not using Open ID Connect like in that blog post, nor anything else beyond that (future users will need to get the JWT token a different way.)
I have a .Net test client project that is trying to call a .Net API server. The client uses the FusionAuth API to login a user and get a JWT token back:
public static async Task<string> AuthenticateTestUser()
{
if (!string.IsNullOrEmpty(JwtToken))
{
return JwtToken;
}
var testApiKey =
"DWCSwbQ-ZGVedjTw78Lvjwk9lx-Mr-6vYdzqS_RTYT8O-RNVr0_hBJfV"; // todo: use a more restricted API key
var client = new FusionAuthClient(testApiKey, "http://localhost:9011");
var accruedBenefitsAppId = Guid.Parse("bbfb892e-2a37-491e-8a4a-d87a12231c55");
var response = await client.LoginAsync(new LoginRequest()
{
password = "**********",
applicationId = accruedBenefitsAppId,
loginId = "automated-test-user@site.com"
});
JwtToken = response.successResponse.token;
return JwtToken;
}
I then use that JwtToken to make an API request with HttpClient and add the authorization like this:
httpReq.Headers.Authorization = new AuthenticationHeaderValue("Bearer", JwtToken);
I've configured the API application in startup to use authentication like this:
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false; //todo: don't deploy this!
options.Authority = configuration.GetValue<string>("AuthenticationSettings:Authority");
options.Audience = configuration.GetValue<string>("AuthenticationSettings:ClientId");
options.IncludeErrorDetails = true;
});
The authority value is simply the URL of my local FusionAuth instance (http://localhost:9011/) and the Audience is the ID of the API application I made (some GUID).
Yet when I make the API request, I get a 401 response back and the value of the WWW-Authenticate header is: error="invalid_token", error_description="The signature key was not found" for Scheme Bearer.
I have verified that the user exists and that they have a registration for the app that I am trying to validate for. The JWT token comes back fine and I can read it in JWT.io.
When I look at the various logs in FusionAuth, I see that there is a login for that user.
Obviously I am missing some important step, but I'm not sure what. Does the API project need to prove its identity in some way before it can validate the JWT token? I don't see any examples or mention of that.