<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z0000A3rdSyCQIOkta Classic EngineAuthenticationAnswered2024-04-01T14:47:32.000Z2024-03-29T09:14:58.000Z2024-04-01T14:47:32.000Z

BurnsR.32389 (Customer) asked a question.

Login fails after upgrading to NET8 - Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

We have OKTA integrated with our NET7 API, the configuration is quite basic:

 

services.AddAuthentication(options =>

  {

    options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;

    options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;

    options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;

  })

  .AddOktaWebApi(new OktaWebApiOptions

  {

    OktaDomain = "https://" + Configuration.GetValue<string>("Okta:Host"),

    Audience = Configuration.GetValue<string>("Okta:Claims:Audience"),

    AuthorizationServerId = Configuration.GetValue<string>("Okta:ServerId"),

    JwtBearerEvents = new JwtBearerEvents

    {

      OnMessageReceived = context =>

      {

// Needed for SignalR

        var accessToken = context.Request.Query["access_token"];

        var path = context.HttpContext.Request.Path;

        if (!string.IsNullOrEmpty(accessToken) && path.StartsWithSegments("/hubs"))

        {

          context.Token = accessToken;

        }

 

        return Task.CompletedTask;

      }

    }

  });

 

We have upgraded our application to NET8 and we are now receiving this:

 

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

 

We have managed to get this working by implementing:

 

var issuer = UrlHelper.CreateIssuerUrl(options.OktaDomain, options.AuthorizationServerId);

 

var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(

  issuer + "/.well-known/oauth-authorization-server",

  new OpenIdConnectConfigurationRetriever(),

  new HttpDocumentRetriever());

 

 var tokenValidationParameters = new DefaultTokenValidationParameters(options, issuer)

 {

   SignatureValidator = (token, _) => ValidateTokenWithRetry(token, issuer, options.Audience)

 };

 

and then not using the AddOktaWebApi extension from the Okta libraries and calling AddJwtBearer directly setting TokenValidationParameters.

 

Our question is why has this stopped working for NET8 and what is the recommended implementation from Okta?


  • User16594883467582706479 (Customer Support Online Experience)

    Hi, @BurnsR.32389 (Customer)​ 

     

    Thank you for posting on our Community page!

     

    This looks like a known change made by Microsoft some time ago, you can read about it here:

    https://github.com/dotnet/aspnetcore/issues/52075#issuecomment-1815025177

     

    For more information, I suggest you contact their Support directly as they may have better knowledge on the latest changes.

     

     

    Thank you for reaching out to our Community and have a great day!

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
  • ForageJ.48182 (Customer)

    Our issue exists regardless of whether we use SecurityTokenValidators or TokenHandlers, so I don't believe it's related to the Microsoft change you reference.

     

    The issue here is that we need to implement SignatureValidator in order to attach the public signing keys manually since upgrading to .NET 8. We didn't need to do this when running on .NET 7.

     

    The code supplied above works, to be clear, but is there any configuration you can advise on where we don't have to manually implement SignatureValidator in order for signature validation to work implicitly / via the Okta package?

    Expand Post
    • User16594883467582706479 (Customer Support Online Experience)

      Hi, @ForageJ.48182 (Customer)​ 

       

      Thank you for posting on our Community page!

       

      I suggest opening a case with Support so they can take a more in depth look at the use case.

       

      Thank you for reaching out to our Community and have a great day!

       

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post
This question is closed.
Loading
Login fails after upgrading to NET8 - Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.