Not able to validate JSON Web Token with .NET – key too short

Question

I have used JSONWebToken npm module to generate a jwt:

var jwt = require(\'jsonwebtoken\');

var payload = {
    \"iss\": \"https://secure.examp         


        

Answer 1

I'm not sure what API you are using, since the official Microsoft one does not contain the properties that you are using. My guess would be, you are using an outdated version.

I took the API from this Nuget package. And this is the code, that worked for me:

using System;
using System.Collections.Generic;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Claims;
using System.ServiceModel.Security.Tokens;
using System.Text;

namespace SO25372035
{
    class Program
    {
        static void Main()
        {
            const string tokenString =  @"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlY3VyZS5leGFtcGxlLmNvbS8iLCJleHAiOjE0MTA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9vcmdudW0iOiI5ODc5ODc5ODciLCJodHRwOi8vZXhhbXBsZS5jb20vdXNlciI6Im1lQGV4YW1wbGUuY29tIiwiaWF0IjoxNDA4NDE5NTQwfQ.jW9KChUTcgXMDp5CnTiXovtQZsN4X-M-V6_4rzu8Zk8";
            JwtSecurityToken tokenReceived = new JwtSecurityToken(tokenString);

            byte[] keyBytes = Encoding.UTF8.GetBytes("secret");
            if (keyBytes.Length < 64 && tokenReceived.SignatureAlgorithm == "HS256")
            {
                Array.Resize(ref keyBytes, 64);
            }
            TokenValidationParameters validationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
                AudienceUriMode = AudienceUriMode.Never,
                SigningToken = new BinarySecretSecurityToken(keyBytes),
            };

            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

            ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(tokenReceived, validationParameters);
            IEnumerable<Claim> a = claimsPrincipal.Claims;
            foreach (var claim in a)
            {
                Console.WriteLine(claim);
            }
        }
    }
}

Note, that I had to resize the array containing the key so that key length passes the validation. It appears that they key length for HMAC is always equal to the block size, and for SHA256 it's 512 bits. There is MinimumSymmetricKeySizeInBits static property that defines the minimum length of a SimmetricKey, but it appears it can't be set to be less than 128.

Answer 2

Correct about the key not being less that 128 bits, since support is only for AES that is the minimum.

You can use your own SignatureProvider.

I also think you are using older bits. Have a look at the latest. http://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/

If you have any issues, let me know.

Answer 3

Try to use TextEncodings.Base64Url.Decode api from Microsoft.Owin.Security.Jwt package to decode the signing key

Then I do following to validate token:

var principal = new JwtSecurityTokenHandler().ValidateToken(jwtheader,
                        new TokenValidationParameters()
                        {
                            RequireExpirationTime = true,
                            ValidAudience = audience,
                            ValidIssuer = issuer,
                            IssuerSigningKey = new InMemorySymmetricSecurityKey(secret)
                        }, out token);