JWT Validation Issues with RSA-SHA256 and JwtBearer Middleware (.NET / C#)

chukwuemekai · 25 Jun 2024, 15:15

Hi everyone,

I'm facing challenges validating JWTs generated by FusionAuth using RSA-SHA256 within my .NET application using the JwtBearer middleware. I've generated a public/private key pair in the FusionAuth Key Master and configured my application as follows:

public static void AddFusionAuthentication(this IServiceCollection services)
{
    var fusionAuthSettings = services.BuildServiceProvider().GetRequiredService<IOptions<FusionAuthSettings>>().Value;
    byte[] publicKeyBytes = Convert.FromBase64String(fusionAuthSettings.IssuerSigningPublicKey);
    
    services
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(opt =>
        {
            opt.Authority = fusionAuthSettings.FusionAuthUrl;
            opt.Audience = fusionAuthSettings.ClientId;
            opt.IncludeErrorDetails = true; // for debugging

            opt.TokenValidationParameters = new()
            {
                ValidateIssuer = true,
                ValidIssuers = [fusionAuthSettings.Issuer],
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(publicKeyBytes)
            };
        });

    services.AddAuthorization(options => { });
}

However, I'm encountering two unexpected scenarios:

The JWT validation succeeds regardless of the value I set for IssuerSigningPublicKey.
Even when using the correct public key from FusionAuth, JWTs signed with different keys are still validated successfully.

It seems like the signature validation isn't working as expected.

Has anyone else encountered similar issues? Could there be a configuration problem in FusionAuth or my .NET application? Any guidance or suggestions for troubleshooting would be greatly appreciated.

Thanks in advance!