Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dotnet user-jwts fails to parse tokens it creates #59073

Closed
1 task done
enricoferrari opened this issue Nov 20, 2024 · 4 comments
Closed
1 task done

dotnet user-jwts fails to parse tokens it creates #59073

enricoferrari opened this issue Nov 20, 2024 · 4 comments
Labels
area-security Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update.

Comments

@enricoferrari
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

.net 8.0.403 Microsoft.IdentityModel.JsonWebTokens.JsonWebToken can not parse sub claims. (Even when the token is created by dotnet user-jwts)

To recreate:

  1. Run: dotnet user-jwts create --claim "sub=test"
  2. Run: dotnet user-jwts print {id-of-claim-from-step-1}

Result:
IDX12723: Unable to decode the payload '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Expected Behavior

dotnet user-jwts print is able to parse the token and print details to the console

Steps To Reproduce

To recreate:

  1. Run: dotnet user-jwts create --claim "sub=test"
  2. Run: dotnet user-jwts print {id-of-claim-from-step-1}

Result:
IDX12723: Unable to decode the payload '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Exceptions (if any)

Debugging this further in a server when parsing this token you can see that the inner exception details are unable to pares the sub claim:

Microsoft.IdentityModel.Tokens.SecurityTokenMalformedException: IDX14100: JWT is not well formed, there are no dots (.). The token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'. ---> System.ArgumentException: IDX14101: Unable to decode the payload '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string. ---> System.Text.Json.JsonException: IDX11020: The JSON value of type: 'StartArray', could not be converted to 'JsonTokenType.String or JsonTokenType.Number'. Reading: 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken.sub', Position: '52', CurrentDepth: '1', BytesConsumed: '53'. at Microsoft.IdentityModel.Tokens.Json.JsonSerializerPrimitives.ReadStringOrNumberAsString(Utf8JsonReader& reader, String propertyName, String className, Boolean read) at Microsoft.IdentityModel.JsonWebTokens.JsonWebToken.CreatePayloadClaimSet(Byte[] bytes, Int32 length) at Microsoft.IdentityModel.Tokens.Base64UrlEncoding.Decode[T](String input, Int32 offset, Int32 length, Func3 action)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebToken.CreateClaimSet(String rawString, Int32 startIndex, Int32 length, Func3 action) at Microsoft.IdentityModel.JsonWebTokens.JsonWebToken.ReadToken(String encodedJson) --- End of inner exception stack trace --- at Microsoft.IdentityModel.JsonWebTokens.JsonWebToken.ReadToken(String encodedJson) at Microsoft.IdentityModel.JsonWebTokens.JsonWebToken..ctor(String jwtEncodedString) at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ReadToken(String token, TokenValidationParameters validationParameters) --- End of inner exception stack trace ---

.NET Version

8.0.403

Anything else?

No response

@martincostello
Copy link
Member

This is likely caused by #52286.

If you search for "no dots" in closed issues you'll see various issues that trace back to it.

@MackinnonBuck
Copy link
Member

@enricoferrari, does the suggestion mentioned in this comment resolve the issue?

@MackinnonBuck MackinnonBuck added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label Nov 20, 2024
@enricoferrari
Copy link
Author

@enricoferrari, does the suggestion mentioned in this comment resolve the issue?

Adding Microsoft.IdentityModel.JsonWebTokens and Microsoft.IdentityModel.Tokens to the project did not help.

@dotnet-policy-service dotnet-policy-service bot added Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. and removed Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. labels Nov 20, 2024
@enricoferrari
Copy link
Author

As an update to this I was able to work around this using the the full name-identifier claim path instead of sub:
dotnet user-jwts create --claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier=testId"

This also works as expected when you include name:
dotnet user-jwts create --name testusername --claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier=testId"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-security Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update.
Projects
None yet
Development

No branches or pull requests

3 participants