azure-activedirectory-identitymodel-extensions-for-dotnet
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard
AzureAD
ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt / v6.10.15 versus v6.10.10
Net6 / aspnetcore api
- v6.10.15 of microsoft.identitymodel.tokens appeared in update nuget packages. Clicked Update.
- error message: method not found: ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt
- reverting back to v6.10.10
- all Ok
Сonfirm, has a similar problem. Solution: revert to previous version (6.14.1)
You changed signature of ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt in this commit by adding BaseConfiguration configuration
ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt is an internal method, so if you're using the same version of the library across all packages this shouldn't be an issue. Can you confirm that all Microsoft.IdentityModel.* packages were updated to the same version?
I think that is the point:
Microsoft.AspNetCore.Authentication.JwtBearer is on NuGet at 6.0.0 (using 6.10.0 ... packages > Microsoft.IdentityModel.Protocols.OpenIdConnect 6.10.0 >> System.IdentityModel.tokens.Jwt 6.10.0 >> Microsoft.IdentityModel.Tokens 6.10.0) : https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/
and https://www.nuget.org/packages/Microsoft.IdentityModel.Tokens/ is on 6.10.15 on nuget.
I use similar nugets:
- Microsoft.AspNetCore.Authentication.JwtBearer (6.0.0 latest)
- Microsoft.IdentityModel.Tokens (worked with 6.14.1, failed with 6.15.0)
Could you provide a list of all the Microsoft.IdentityModel.* versions that your project is using as well as all the NuGet packages you are referencing in your project file?
Solution contains 3 projects.
Core project references Microsoft.IdentityModel.Tokens? Web project references Microsoft.AspNetCore.Authentication.JwtBearer
All nugets in solution here:
I am having the same problem. Only Microsoft.IdentityModel.Tokens is referenced from my project and is on version 6.15.0
I have taken a look in the bin folder after build and the other Microsoft.IdentityModel.* packages are
- Microsoft.IdentityModel.JsonWebTokens 6.10.0
- Microsoft.IdentityModel.Logging 6.15.0
- Microsoft.IdentityModel.Protocols 6.10.0
- Microsoft.IdentityModel.Protocols.OpenIdConnect 6.10.0
Update: After adding references for these to my project and making sure all were at 6.15.0 the problem was solved.
@eelke-at-bolt I'm glad to hear that making sure all references were on 6.15.0 addressed your problem! We need to make some changes our end to ensure that using the exact same library version across all packages is required.
@Doomer3D Can you check your bin folder and see if all Microsoft.IdentityModel.* packages are the same? You need to ensure that all packages are on 6.15.0 to avoid these sorts of errors.
@mafurman Some more details to help you understand what went wrong.
My service consists itself of multiple projects, lets say App and Core to keep it short App had a reference to Microsoft.AspNetCore.Authentication.JwtBearer 6.0.0 which is the one depending on Microsoft.IdentityModel.JsonWebTokens (version resolved by nuget). My Core project has a reference to Microsoft.IdentityModel.Tokens 6.15.0.
@Doomer3D Can you check your bin folder and see if all Microsoft.IdentityModel.* packages are the same? You need to ensure that all packages are on 6.15.0 to avoid these sorts of errors.
Project references:
Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.0 (latest) Microsoft.IdentityModel.Tokens: 6.15.0 (latest)
Libraries in bin:
Microsoft.AspNetCore.Authentication.JwtBearer.dll: 6.0 Microsoft.IdentityModel.JsonWebTokens.dll: 6.10 Microsoft.IdentityModel.Logging.dll: 6.15 Microsoft.IdentityModel.Protocols.dll: 6.10 Microsoft.IdentityModel.Protocols.OpenIdConnect.dll: 6.10 Microsoft.IdentityModel.Tokens.dll: 6.15
Same here with version Microsoft.IdentityModel.Tokens 6.15.0 - revert to the previous version (6.14.1) works for now.
Here are my deps on a .net 6 project (nothing special):
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.15.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.0" />
<PackageReference Include="Microsoft.AspNetCore.SpaServices.Extensions" Version="6.0.0" />
and error:
2021-12-09 14:57:44.4557|INFO|Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler|https://localhost/api/menu|127.0.0.1|Failed to validate the token.|User-Name=|System.MissingMethodException: Method not found: 'Void Microsoft.IdentityModel.Tokens.InternalValidators.ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt(Microsoft.IdentityModel.Tokens.SecurityToken, System.Nullable`1<System.DateTime>, System.Nullable`1<System.DateTime>, System.String, Microsoft.IdentityModel.Tokens.TokenValidationParameters, System.Text.StringBuilder)'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
Can you use a binding redirect to address this? https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/bindingredirect-element
I got the same issue when I updated from 6.14.1 to 6.15.0 doomer3d mentionned the commit, part of the MR #1779
the InternalValidators class has been updated but somehow something is wrong in the references.
Wonder if is could be related to #1796
Project references:
Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.0 (latest) Microsoft.IdentityModel.Tokens: 6.15.0 (latest)
Same for me, the issue is caused by Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.0 which refers to Microsoft.IdentityModel.Tokens: 6.10.0 You can see it when you open the packages tree in Visual Studio 2022.
Using Microsoft.AspNetCore.Authentication.JwtBearer 6.0 allows to switch from
new JwtSecurityTokenHandler().ValidateToken(token, tokenValidationParameters, out SecurityToken securityToken);
to
TokenValidationResult result = new JsonWebTokenHandler().ValidateToken(token, tokenValidationParameters);
to validate the JWT token in my WebAPI application.
so eventually, after upgrading to dot net 6 (from .net core 3.1), I can now remove the explicit link to Microsoft.IdentityModel.Tokens (6.14.1 or 6.15.0) and stick to the 6.10.0 linked with Microsoft.AspNetCore.Authentication.JwtBearer
Thus, the "fix" for me (and probably for many on dotnet 6) is to remove completly the nuget package "Microsoft.IdentityModel.Tokens" from my project and use only the implicit dependency from Microsoft via the Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.0 and wait for further updates of Aspnetcore.
I got the same problem when I've been using Microsoft.IdentityModel.Token 6.16.0 But it works on v6.14.1
Encountered this today as well. took a while to figure it out what broke and I ended up reverting to 6.14.1 In my case I'm referencing the package to the use the SymmetricSecurityKey class when configuring the TokenValidationParameters IssuerSigningKey
Had the same issue today, reverted to 6.14.1 and this fixed the issue. However, this is not a permanent solution.
Thus, the "fix" for me (and probably for many on dotnet 6) is to remove completly the nuget package "Microsoft.IdentityModel.Tokens" from my project and use only the implicit dependency from Microsoft via the Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.0
I haven't tried this yet, might give it a shot.
I find it unacceptable that this is still an issue today. JWT is a core functionality; I can't imagine the number of people affected by this.
In my case, I had the following dependencies in a brand new project using the Microsoft.NET.Sdk.Web SDK.
<PackageReference Include="CoreWCF.Http" Version="1.1.0" />
<PackageReference Include="CoreWCF.WebHttp" Version="1.1.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.7" />
<PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="6.4.0" />
Adding the following nuget package fixed the issue:
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.22.0" />
I'm running into a problem with this issue too. For me it seems to be related to this commit, which was released in version 6.15.1 of both System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.Tokens
In short - it seems Microsoft.IdentityModel.Tokens 6.15.1 and higher is not backwards compatible with System.IdentityModel.Tokens.Jwt version 6.15.0 and lower, since method signature of ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt(..) has changed.
You would get into this situation for example if you're referencing version 6.0.* of Microsoft.AspNetCore.Authentication.JwtBearer in one place in your project, and elsewhere referencing Microsoft.IdentityModel.JsonWebTokens version 6.15.1 or higher - well I think there's all kind of ways you could end up in this situation - I got it myself using identity server and upgrading to .net 6.
Solution I guess is just to add explicit reference to System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.Tokens to make sure their versions match.
I have to wonder why does Microsoft.IdentityModel.Protocols.OpenIdConnect even reference System.IdentityModel.Tokens.Jwt any more though - it sounds like it is getting deprecated - according to THIS:
Microsoft.IdentityModel.JsonWebTokens.... This is a newer, faster version of System.IdentityModel.Tokens.Jwt
In my opinion:
-
Microsoft.AspNetCore.Authentication.JwtBearer should update it's reference on Microsoft.IdentityModel.Protocols.OpenIdConnect to 6,15,1+ - this change has already been made in the .net7 preview version of JwtBearer, but seems kind of late, it doesn't solve problem for the majority of people I think who're sticking with LTS for a while.
-
Microsoft.IdentityModel.Protocols.OpenIdConnect should stop using System.IdentityModel.Tokens.Jwt and switch to Microsoft.IdentityModel.JsonWebTokens instead - at this point the former seems like little more than a facade over the latter for backwards compatibility.
Thanks - been scratching my head on this one too - thanks for the info as it helped me
2023 June, and still the issue with Microsoft.IdentityModel.Tokens Version 6.31.0.
I had the same "Method not found" exception as mentioned before:
System.MissingMethodException : Method not found: 'Void Microsoft.IdentityModel.Tokens.InternalValidators.ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt(Microsoft.IdentityModel.Tokens.SecurityToken, System.Nullable`1<System.DateTime>, System.Nullable`1<System.DateTime>, System.String, Microsoft.IdentityModel.Tokens.TokenValidationParameters, System.Text.StringBuilder)'.
Stapelverfolgung:
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
...
These three dlls were on version 6.11.1.20521:
- Microsoft.IdentityModel.JsonWebTokens.dll,
- Microsoft.IdentityModel.Protocols.dll,
- Microsoft.IdentityModel.Protocols.OpenIdConnect.dll
Fixed the issue by explicitly adding to the .csproj file:
<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.31.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="6.31.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.31.0" />
Could anyone on the team (@brentschmaltz?) please get someone to look at this issue? It would be much appreciated by anyone depending on Microsoft.AspNetCore.Authentication.JwtBearer. If this is the wrong place to report this issue (it's confusing that code under the Microsoft.AspNetCore namespace is hosted in this repo), please point us in the right direction.
This is such an old and prevalent issue that the workaround is documented in downstream projects' blogs and documentation, for example:
Thank you.
@DanielLaberge we are closing this as we are only fixing security issues in 6.x. Moving to asp.net 8 or updating all IdentityModel assemblies so they are the same version should solve the issue.
