"Signature validation failed" issue on first log in of the day (.NET)
I am using Zitadel as basic Oidc provider in a .net Core 8 app.
Sometimes - usually on first login of the day, I get the error below. Subsequent logins will work fine after that:
-----------
SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. The token's kid is: '331015965120704997', but did not match any keys in TokenValidationParameters or Configuration. Keys tried: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: '330867128917864933', InternalId: 'eEY5cloHV5xw41nhCphXeR0cak5ePU8YYMXQzfSHtUc'. , KeyId: 330867128917864933
'. Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '1'.
Exceptions caught:
'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
-----------
Checking <my-instance>/oauth/v2/keys I see two keys:
- 330867128917864933
- 331015965120704997
Seems to be an issue with syncing keys. I've tried playing around with options.ConfigurationManager.RefreshInterval but with no luck. Anyone have an Idea whats wrong here?
1 Reply
Here's my .net OIDC config:
This is how I've configured OIDC in .NET Core 8:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = OpenIdConnectDefaults.AuthenticationScheme
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
var oidcConfig = builder.Configuration.GetSection("OpenIDConnectSettings");
options.Authority = oidcConfig["Authority"];
options.ClientId = oidcConfig["ClientId"];
options.CallbackPath = oidcConfig["RedirectUri"];
options.SignInScheme = IdentityConstants.ExternalScheme;
options.SaveTokens = true;
options.UsePkce = true;
options.ResponseType = "code";
options.GetClaimsFromUserInfoEndpoint = true;
})
.AddExternalCookie() .Configure( o => { o.Cookie.HttpOnly = true; o.Cookie.IsEssential = true; o.Cookie.SameSite = SameSiteMode.None; o.Cookie.SecurePolicy = CookieSecurePolicy.Always; } ); ---------------------------
})
.AddExternalCookie() .Configure( o => { o.Cookie.HttpOnly = true; o.Cookie.IsEssential = true; o.Cookie.SameSite = SameSiteMode.None; o.Cookie.SecurePolicy = CookieSecurePolicy.Always; } ); ---------------------------