SecurityTokenSignatureKeyNotFoundException

ronn316 · 17 Dec 2023, 09:19

Hello,

I am new to FusionAuth and I'm trying to get the .NET sample project to work.

I have FusionAuth running in a docker container, with an application created and user registered. I configured the OAuth settings of the application by following tutorials.

I updated the ClientId and ClientSecret in the sample project.

When running the project and clicking Login, it takes me to the login page which suggests I've done something right in my configuration, but after entering my credentials and hitting login, I get the following error:

SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '92902df5-0934-4d76-8a60-2cd51028249e'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '0'.
Exceptions caught:
''.
token: '{"alg":"HS256","typ":"JWT","gty":["authorization_code"],"kid":"92902df5-0934-4d76-8a60-2cd51028249e"}.{"aud":"92902df5-0934-4d76-8a60-2cd51028249e","exp":1702807798,"iat":1702804198,"iss":"acme.com","sub":"2df810a4-88bc-485a-a5cf-bfaabf35b90d","jti":"e2c1c289-57b5-49b1-b495-636d06845545","authenticationType":"PASSWORD","email":"xxx@live.com","email_verified":true,"at_hash":"fdhn0KtbqQBef_-NsDooNw","c_hash":"VONxcXgqSxzV4_Zu7FCjbw","scope":"openid profile","nonce":"638384009905855197.YzJiMjZjNzEtNzA1NC00ZWMzLWIYzUwNTVjZmFkNTc4Yjk2OTdhMmUtNWIyOS00ZmU3LWI2MjgtNmVkMTBhMzQ0OGU1","sid":"cc61bc4a-d54b-4d0a-9a7b-9ac867ea401a","auth_time":1702804198,"tid":"92394bcb-4c73-307e-5796-e24fb0c9b435"}'.

What did I miss?

Thank you

mark.robustelli · 18 Dec 2023, 18:40

@ronn316 Which browser are you using?

Also, did you try using the container that the project uses or did you try to configure an existing instance of FusionAuth?

You may also want to check this out: https://fusionauth.io/community/forum/topic/2419/security-token-signature-key-not-found-exception-idx10501-signature-validation-failed-unable-to-match-key?_=1702924941464

ronn316 · 19 Dec 2023, 19:10

@mark-robustelli Hi Mark, thanks for your help.

I tried in Edge and Chrome and both have the same error. As for your question regarding the container. The sample .NET project from FusionAuth doesn't come with a dockerfile for FusionAuth. I spun up my own container locally using the following in a docker-compose.

I had a look at that link you shared and indeed I did not configure the JWT settings. I followed those instructions, and it seems that progress is made but now I get this error. Slightly different however. It now says that 1 key exists in the configuration. It seems that the key is not supported?

SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '92902df5-0934-4d76-8a60-2cd51028249e'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '1'.
Exceptions caught:
'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.ECDsaSecurityKey, KeyId: 'C_5YEripJK7EJEZv0PgLOC1lc2c', InternalId: 'BMot3zaznmxHMG8fJ1qoP3NzS-PwyKvhaeO7Twrow_g'.'
is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms

mark.robustelli · 20 Dec 2023, 14:53

@ronn316 The quickstart example should take you through spinning up a docker image. Is this the link you are using? https://fusionauth.io/docs/quickstarts/quickstart-dotnet-web. If not, what sample project are you looking at?

Once we get on the same page with what example you are trying to run, I will see if I can replicate your issue.

ronn316 · 20 Dec 2023, 19:09

@mark-robustelli Indeed you're right, the quickstart project does have instructions for spinning up a docker image. I skipped that because I followed the instructions from this page for setting up docker:

https://fusionauth.io/docs/quickstarts/5-minute-docker

Although I did not use an .env file so I was filling in the database connection info on the maintenance page once spinning up the container.

After using the docker-compose from the quickstart project, the issue seems to not occur now.

Still I would like to know what I was missing in my own docker-compose configuration. I did not create the elasticsearch container, is that necessary? Everything seemed to work without it. I also didn't use a kickstart file, nor did I setup any volumes for the config file. Again these don't seem like things that would cause this error.

Here's the full docker-file:

version: '3.4'

services:
  fusionauth:
    image: fusionauth/fusionauth-app
    ports:
     - "9011:9011"
    depends_on:
      db:
        condition: service_healthy
        required: true
    networks:
     - mybackend-network

  db:
    image: postgres:latest
    restart: always
    container_name: 'db'
    environment:
      POSTGRES_USERNAME: postgres
      POSTGRES_PASSWORD: password
      POSTGRES_DB: invoicing
    ports: 
      - "5433:5432"
    volumes:
      - local_postgres_data:/var/lib/postgresql/data
    networks:
      - mybackend-network
    healthcheck:
      test: pg_isready -U postgres
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  local_postgres_data: {}

networks:
  mybackend-network:
    driver: bridge

ronn316 · 21 Dec 2023, 07:03

It seems I figured it out, it was something I missed. In the JWT settings of my application under JSON web token settings, I forgot to change also the Id token signing key to my new key. I had only changed the Access token signing key before. Now it logs in fine.

mark.robustelli · 21 Dec 2023, 22:00

@ronn316 Awesome! Thanks for sharing.