microsoft-identity-web: With multiple JWT issuers, Wilson can't be stopped from validating all tokens

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

1.25.1

Web app

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Token cache serialization

Not Applicable

Description

I’m attempting to use JWT tokens from 3 different sources:

  • Auth0
  • Custom tokens
  • Azure AD.

The first two are able to co-exist happily. As soon as Azure AD is added via AddMicrosoftIdentityWebApi or AddMicrosoftIdentityWebApiAuthentication the MSAL library attempts to validate all tokens and there does not seem to be a way to specify that it should only validate tokens from Azure AD.

Reproduction steps

  1. In ConfigureServices add multiple JWT authentication providers, as below. This example shows 3 but the issue can be demonstrated with only one. The purpose of having 3 is to show that the 2 non Azure AD JWT sources are able to co-exist.
  2. Attempt to authenticate with a non Azure AD JWT token.
  3. THe MSAL library attempts, and fails, to validate the JWT token and writes a bunch of exception messages.

Error message

When attempting to use a custom JWT token the following exception messages are generated by MSAL. The token does then get verified by the custom JWT token validation.

crit: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 6.20.0.0. Date 07/06/2022 19:32:45. PII logging is ON, do not use in production. See https://aka.ms/IdentityModel/PII for details.
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg', InternalId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg', InternalId: 'IQ1gy6Cza8BbkLrw80AYh3UH350oOFKm9QeWEPF8NWE'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'l3sQ-50cCH4xBVZLHTGwnSR7680', InternalId: 'l3sQ-50cCH4xBVZLHTGwnSR7680'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'l3sQ-50cCH4xBVZLHTGwnSR7680', InternalId: 'LlUnii3g-HMRTX5PNvx5txOjjOTxueiGxH6Skj6fRn0'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'Mr5-AUibfBii7Nd1jBebaxboXW0', InternalId: 'Mr5-AUibfBii7Nd1jBebaxboXW0'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'Mr5-AUibfBii7Nd1jBebaxboXW0', InternalId: 'Ym2fIwyTcp6t_wj_iOHCbQ8cFjGoGBuiNLP3XidTdiQ'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc', InternalId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc', InternalId: '_udyW57J1VwylR_snXgpKRWitM4RbBdaZaR_xD7hztA'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI', InternalId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI', InternalId: '5vnA1wRh7yyUBZovEPXd0fWnTXqyCZxRpaa2Jqq05Qs'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc', InternalId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc', InternalId: '8cTdfkGpvGb-S7Jm4j2Qx_vFGaTWhyHvzyUNxDldt00'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'T-s3zxWfMfabVb7tJrPhb9qEnJ3U6apw7zs6OhfXZe4'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg', InternalId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg'. , KeyId: nOo3ZDrODXEK1jKWhXslHR_KXEg
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg', InternalId: 'IQ1gy6Cza8BbkLrw80AYh3UH350oOFKm9QeWEPF8NWE'. , KeyId: nOo3ZDrODXEK1jKWhXslHR_KXEg
      Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'l3sQ-50cCH4xBVZLHTGwnSR7680', InternalId: 'l3sQ-50cCH4xBVZLHTGwnSR7680'. , KeyId: l3sQ-50cCH4xBVZLHTGwnSR7680
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'l3sQ-50cCH4xBVZLHTGwnSR7680', InternalId: 'LlUnii3g-HMRTX5PNvx5txOjjOTxueiGxH6Skj6fRn0'. , KeyId: l3sQ-50cCH4xBVZLHTGwnSR7680
      Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'Mr5-AUibfBii7Nd1jBebaxboXW0', InternalId: 'Mr5-AUibfBii7Nd1jBebaxboXW0'. , KeyId: Mr5-AUibfBii7Nd1jBebaxboXW0
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'Mr5-AUibfBii7Nd1jBebaxboXW0', InternalId: 'Ym2fIwyTcp6t_wj_iOHCbQ8cFjGoGBuiNLP3XidTdiQ'. , KeyId: Mr5-AUibfBii7Nd1jBebaxboXW0
      Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc', InternalId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc'. , KeyId: jS1Xo1OWDj_52vbwGNgvQO2VzMc
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc', InternalId: '_udyW57J1VwylR_snXgpKRWitM4RbBdaZaR_xD7hztA'. , KeyId: jS1Xo1OWDj_52vbwGNgvQO2VzMc
      Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI', InternalId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI'. , KeyId: 2ZQpJ3UpbjAYXYGaXEJl8lV0TOI
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI', InternalId: '5vnA1wRh7yyUBZovEPXd0fWnTXqyCZxRpaa2Jqq05Qs'. , KeyId: 2ZQpJ3UpbjAYXYGaXEJl8lV0TOI
      Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc', InternalId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc'. , KeyId: DqUu8gf-nAgcyjP3-SuplNAXAnc
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc', InternalId: '8cTdfkGpvGb-S7Jm4j2Qx_vFGaTWhyHvzyUNxDldt00'. , KeyId: DqUu8gf-nAgcyjP3-SuplNAXAnc
      Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo'. , KeyId: OzZ5Dbmcso9Qzt2ModGmihg30Bo
      Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'T-s3zxWfMfabVb7tJrPhb9qEnJ3U6apw7zs6OhfXZe4'. , KeyId: OzZ5Dbmcso9Qzt2ModGmihg30Bo
      '. Number of keys in TokenValidationParameters: '14'.
Number of keys in Configuration: '0'.
Exceptions caught:
 'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg', InternalId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'nOo3ZDrODXEK1jKWhXslHR_KXEg', InternalId: 'IQ1gy6Cza8BbkLrw80AYh3UH350oOFKm9QeWEPF8NWE'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'l3sQ-50cCH4xBVZLHTGwnSR7680', InternalId: 'l3sQ-50cCH4xBVZLHTGwnSR7680'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'l3sQ-50cCH4xBVZLHTGwnSR7680', InternalId: 'LlUnii3g-HMRTX5PNvx5txOjjOTxueiGxH6Skj6fRn0'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'Mr5-AUibfBii7Nd1jBebaxboXW0', InternalId: 'Mr5-AUibfBii7Nd1jBebaxboXW0'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'Mr5-AUibfBii7Nd1jBebaxboXW0', InternalId: 'Ym2fIwyTcp6t_wj_iOHCbQ8cFjGoGBuiNLP3XidTdiQ'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc', InternalId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'jS1Xo1OWDj_52vbwGNgvQO2VzMc', InternalId: '_udyW57J1VwylR_snXgpKRWitM4RbBdaZaR_xD7hztA'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI', InternalId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: '2ZQpJ3UpbjAYXYGaXEJl8lV0TOI', InternalId: '5vnA1wRh7yyUBZovEPXd0fWnTXqyCZxRpaa2Jqq05Qs'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc', InternalId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'DqUu8gf-nAgcyjP3-SuplNAXAnc', InternalId: '8cTdfkGpvGb-S7Jm4j2Qx_vFGaTWhyHvzyUNxDldt00'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
      System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'HS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'OzZ5Dbmcso9Qzt2ModGmihg30Bo', InternalId: 'T-s3zxWfMfabVb7tJrPhb9qEnJ3U6apw7zs6OhfXZe4'.'
 is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)
         at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
token: '{"alg":"HS256","typ":"JWT"}.{"tokenid":"ed856e3b-8c71-49f1-acf1-313ce7184f5f"}'

Relevant code snippets

`services.AddMicrosoftIdentityWebApiAuthentication(Configuration);

    services.AddAuthentication()
        .AddJwtBearer(AUTH0_AUTHENTICATION_SCHEME, options =>
        {
            options.Authority = domain;
            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = ClaimTypes.NameIdentifier,
                ValidateIssuer = true,
                ValidateIssuerSigningKey = true,
                ValidAudiences = new List<string>
                {
                        Configuration[ConfigKeys.AUTH0_AUDIENCE],
                        Configuration[ConfigKeys.AUTH0_AUDIENCE_STRONG],
                        Configuration[ConfigKeys.AUTH0_AUDIENCE_MACHINE]
                }
            };
        })
        .AddJwtBearer("myapp", options =>
        {
            var key = Encoding.UTF8.GetBytes("secret-token-encryption-key");

            options.TokenValidationParameters = new TokenValidationParameters
            {
                RequireSignedTokens = true,
                ValidateIssuerSigningKey = true,
                ValidateLifetime = true,
                ValidateAudience = false,
                ValidateIssuer = false,
                RequireExpirationTime = false,
                IssuerSigningKey = new SymmetricSecurityKey(key),
            };
            });`

Regression

No response

Expected behavior

The MSAL library should ignore any JWT tokens that have not been issued by Azure AD if there are muliple JWT issuers configured…

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 26 (1 by maintainers)

Most upvoted comments

@jmprieur : do you have any plans to fix this issue? We are facing exactly the same issue as OP and @maffelbaffel in the linked issue above, after upgrading to 1.25.1 or higher. We also have multiple authentication schemes: one for B2C and another using Azure AD for app registration type of flow.

For us this is even worse as our monitoring system depends on the logs being error-free, so our operations team would be overwhelmed by false positives.

To me the framework is not working correctly when it is validating the tokens not belonging to the authentication scheme in question and logs errors that are not real errors.

+2
PetteriPertola on Mar 6, 2023

Oh I see. thanks for the feedback and the explanation. So we are now surfacing too many details, and the ASP.NET core logs were enough in that case.

@sruke, @jennyf19 : Let’s see what we can do here to have less noisy logs. Maybe we could have a special namespace (Microsoft.Identity.Model) for the IIdentityLogger so that customers who are not interested in the Microsoft.IdentityModel logs don’t get them.

@nlz242, aside: You should not use AddMicrosoftIdentityWebApiAuthentication in your case as it does both:

  • AddAuthentication(yourScheme). This means that this sets the default scheme to yourScheme.
  • AddMicrosoftIdentityWebApi

So in your code above you set the default authentication scheme twice

what you’d want to do is: service.AddAuthentication("Scheme1) // if you want scheme1 to be the default scheme .AddMicrosoftIdentityWebApi( _configuration, “AzureB2C:Tenant1”, jwtBearerScheme: “Scheme1”); service.AddAuthentication() .AddMicrosoftIdentityWebApi( _configuration, “AzureB2C:Tenant2”, jwtBearerScheme: “Scheme2”);

The “try until it works, or all configured schemes have been tried” is handled by ASP.NET Core’s JwtBearer middleware (used internally by Microsoft.Identity.Web.

But in any case that’s not going to change anything to your logs issue.

+2
jmprieur on Jul 29, 2022

I suspect this is the same problem

https://github.com/AzureAD/microsoft-identity-web/discussions/1797

+1
tsmeets2 on Jul 7, 2022
Read more comments on GitHub
← microsoft-identity-web: Weird "Unable to unprotect the message.State" error
deno-dom: Doesn't work with moz-readability →