azure-activedirectory-identitymodel-extensions-for-dotnet: WsFederationMessage.GetToken() is appending " " to SAML (Formatting is breaking signature check - Sign in fails)

WS Federation was working for me prior to upgrading to .NET Core 3. I have a typical setup shown below, followed by exception that began after the upgrade. Not sure if there is any changes I should make to affect / resolve this.

Also it would be nice if I could step into the code (could not load module / find symbols). I may be missing something there - let me know if there is a way for me to step through and troubleshoot further.

I’m using Microsoft.AspNetCore.Authentication.WsFederation 3.0.0, which depends on / brings in Microsoft.IdentityModel.Protocols.WsFederation (>= 5.5.0).

            services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
            })
            .AddWsFederation(federationOptions =>
            {
                federationOptions.MetadataAddress = _options.MetadataAddress;
                federationOptions.Wtrealm = _options.Realm;
                federationOptions.Events.OnSecurityTokenValidated = OnSecurityTokenValidated;
                federationOptions.Events.OnRedirectToIdentityProvider = OnRedirectToIdentityProvider;
            })
            .AddCookie(cookieOptions =>
            {
                cookieOptions.ExpireTimeSpan = TimeSpan.FromDays(1);
                cookieOptions.Events.OnValidatePrincipal = OnValidateCookiePrincipal;
                cookieOptions.Events.OnRedirectToAccessDenied = OnRedirectToAccessDenied;
            });

Exception occurred while processing message. [Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler] 
 Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'. , KeyId: 0F0AC48C0B8FB903E0F49823DD2C133908EF139E
'.
Exceptions caught:
 'Microsoft.IdentityModel.Xml.XmlValidationException: IDX30200: The 'Signature' did not validate. CryptoProviderFactory: 'Microsoft.IdentityModel.Tokens.CryptoProviderFactory', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'.'.
   at Microsoft.IdentityModel.Xml.Signature.Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
'.
token: 'Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken'.
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteAuthenticateAsync()
09-26-2019 11:08:04.729 INF [0105C316619L, ] Error from RemoteAuthentication: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'. , KeyId: 0F0AC48C0B8FB903E0F49823DD2C133908EF139E
'.
Exceptions caught:
 'Microsoft.IdentityModel.Xml.XmlValidationException: IDX30200: The 'Signature' did not validate. CryptoProviderFactory: 'Microsoft.IdentityModel.Tokens.CryptoProviderFactory', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'.'.
   at Microsoft.IdentityModel.Xml.Signature.Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
'.
token: 'Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken'.. [Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler] 
 09-26-2019 11:08:04.875 ERR [0105C316619L, ] An unhandled exception has occurred while executing the request. [Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware] 
 System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'. , KeyId: 0F0AC48C0B8FB903E0F49823DD2C133908EF139E
'.
Exceptions caught:
 'Microsoft.IdentityModel.Xml.XmlValidationException: IDX30200: The 'Signature' did not validate. CryptoProviderFactory: 'Microsoft.IdentityModel.Tokens.CryptoProviderFactory', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'.'.
   at Microsoft.IdentityModel.Xml.Signature.Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
'.
token: 'Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken'.
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Disney.DTCI.AdSales.Common.Middleware.AdVisorCorrelationLogging.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 1
Comments: 43 (20 by maintainers)

Most upvoted comments

@everettcomstock @northof490 we will ping you when we have something to test. Most likely the week of Sept 7th.

brentschmaltz on Sep 4, 2020

@northof490 i would like to propose a change where the user has the ability to ‘ignore’ whitespace outside of elements. This allows a user to have control.

brentschmaltz on Sep 4, 2020

@cathalpern I moved this to the current release, which was marked as today. The team has a planning meeting on Monday, we will set a realistic release date.

brentschmaltz on Jun 12, 2020

Yeah, it adds those characters. See my 3rd comment where I suggest a fix. I forked and tried that locally and it worked for me.
Basically I changed the XML Writer settings to use ‘NewLineHandling.None‘ and that helped

smiket on Jan 15, 2020