I have a web application which have an issue in SSO authentication validation using "UseOpenIdConnectAuthentication", which is failing when they are trying to validate the IdTokens. It occurs when in every 24 Hours/when Rollover happens. Then the site needs a configuration change or Azure stack server restart, it help us to resolve the issue only for next 24Hours/Rollover. But the interest part is, it is occurring only in production server other than stage, test & dev. When compare those 4 servers, production is using the ELR server but the others using CTC from the Azure Stack Public Cloud. Other than this, there is no other major changes in between the servers. Unless still we can't point out where the issue is happening, whether it is related to SSO configuration(config values are different in each server) and/or .Net(c#) code base(same in all).
DotNet - Framework 4.7.1
Error Description - IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'.
Can you please help us to get rid from this issue.
public static void Configuration(IAppBuilder app)
{
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
$"{OidcOptions.Authority}/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
var discoveryDocument = configurationManager.GetConfigurationAsync().Result;
var signingKeys = GetSecurityKeyAsync(discoveryDocument.JwksUri).Result;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieManager = new SystemWebCookieManager()
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = OidcOptions.ClientId,
ClientSecret = OidcOptions.ClientSecret,
Authority = OidcOptions.Authority,
RedirectUri = OidcOptions.RedirectUri,
PostLogoutRedirectUri = OidcOptions.PostLogoutRedirectUri,
Scope = OidcOptions.Scope,
ResponseType = OidcOptions.ResponseType,
UseTokenLifetime = false,
TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKeys = signingKeys,
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = OidcOptions.Audience,
ValidateIssuer = true,
ValidIssuer = OidcOptions.Issuer
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
MessageReceived = OnMessageReceived,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenValidated = OnSecurityTokenValidated
}
}
);
}