This project has moved. For the latest updates, please go here.

WS-Federation throws an argument null exception

Jun 13, 2014 at 1:23 AM
Having some trouble with getting WS-Federation to work with ACS.
Here is how I have configured WS-Federation:
 var wsfederationOptions = new WsFederationAuthenticationOptions
            {
                MetadataAddress = System.Configuration.ConfigurationManager.AppSettings["ida:FederationMetadataLocation"],
                Wtrealm = System.Configuration.ConfigurationManager.AppSettings["ida:Realm"],
                
                SecurityTokenHandlers = new System.IdentityModel.Tokens.SecurityTokenHandlerCollection(),
                TokenValidationParameters = new TokenValidationParameters
                {
                    IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(SymmetricKey)),
                    ValidIssuer = System.Configuration.ConfigurationManager.AppSettings["ida:Issuer"],
                    ValidAudience = System.Configuration.ConfigurationManager.AppSettings["ida:AudienceUri"],
                    ValidateAudience = true,
                    IssuerValidator = (issuer,token) =>true,
                },             
            };
var tokenHandler = new CustomJwtSecurityTokenHandler();
  
wsfederationOptions.SecurityTokenHandlers.AddOrReplace(tokenHandler);
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() { AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType });
            
app.UseWsFederationAuthentication(wsfederationOptions);
Here is the exception: Any idea on how to debug this?
[NullReferenceException: Object reference not set to an instance of an object.]
   Microsoft.Owin.Security.AuthenticationManager.set_AuthenticationResponseGrant(AuthenticationResponseGrant value) +106
   Microsoft.Owin.Security.AuthenticationManager.SignIn(AuthenticationProperties properties, ClaimsIdentity[] identities) +523
   Microsoft.Owin.Security.WsFederation.<AuthenticateCoreAsync>d__22.MoveNext() +4804
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22
   Microsoft.Owin.Security.WsFederation.<AuthenticateCoreAsync>d__22.MoveNext() +5815
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
   Microsoft.Owin.Security.Infrastructure.<BaseInitializeAsync>d__0.MoveNext() +809
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +427
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   VortexLogger.<Invoke>d__3.MoveNext() in c:\Users\mukav\Documents\Visual Studio 2013\Projects\VortexLogger\Logger.cs:48
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +937
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   VortexLogger.<Invoke>d__3.MoveNext() in c:\Users\mukav\Documents\Visual Studio 2013\Projects\VortexLogger\Logger.cs:48
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +287
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<DoFinalWork>d__2.MoveNext() +272
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22
   Microsoft.Owin.Host.SystemWeb.Infrastructure.ErrorState.Rethrow() +33
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +150
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +42
   System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +415
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Coordinator
Jun 13, 2014 at 2:59 AM
Sounds like a known issue: https://katanaproject.codeplex.com/workitem/245. Have you tried using the nightly builds?

Also, change this:
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() { AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType });
To:
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
Jun 13, 2014 at 7:40 PM
Edited Jun 13, 2014 at 7:41 PM
Thanks Tratcher! But I seem to have hit another bug now. I am using this build: 3.0.0-beta2-30612-073-dev. Do you want me to file an issue on this one?
[MissingMethodException: Method not found: 'System.IdentityModel.Tokens.SecurityTokenHandlerCollection Microsoft.IdentityModel.Extensions.SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers(System.String)'.]
   Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationMiddleware..ctor(OwinMiddleware next, IAppBuilder app, WsFederationAuthenticationOptions options) +0
   lambda_method(Closure , OwinMiddleware , IAppBuilder , WsFederationAuthenticationOptions ) +83

[TargetInvocationException: Exception has been thrown by the target of an invocation.]
   System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) +0
   System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) +92
   System.Reflection.RuntimeMethodInfo.UnsafeInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) +102
   System.Delegate.DynamicInvokeImpl(Object[] args) +104
   System.Delegate.DynamicInvoke(Object[] args) +10
   Microsoft.Owin.Builder.AppBuilder.BuildInternal(Type signature) +365
   Microsoft.Owin.Builder.AppBuilder.Build(Type returnType) +42
   Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup) +923
   Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup) +136
   Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint() +159
   System.Threading.LazyInitializer.EnsureInitializedCore(T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory) +86
   System.Threading.LazyInitializer.EnsureInitialized(T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory) +72
   Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context) +104
   System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +418
   System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +172
   System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +336
   System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +296

[HttpException (0x80004005): Exception has been thrown by the target of an invocation.]
   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +9885060
   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +101
   System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +254
Coordinator
Jun 13, 2014 at 10:53 PM
It sounds like your dependencies are just out of sync. Can you share your full packages config?
Jun 13, 2014 at 11:16 PM
Sure. Here is what I have:
<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Antlr" version="3.4.1.9004" targetFramework="net45" />
  <package id="bootstrap" version="3.0.0" targetFramework="net45" />
  <package id="jQuery" version="1.10.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.Mvc" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.Razor" version="3.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.Client" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.Core" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.HelpPage" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.Owin" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.OwinSelfHost" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.Tracing" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebApi.WebHost" version="5.1.2" targetFramework="net45" />
  <package id="Microsoft.AspNet.WebPages" version="3.1.2" targetFramework="net45" />
  <package id="Microsoft.IdentityModel.Protocol.Extensions" version="1.0.0-Beta2-10610-1317" targetFramework="net45" />
  <package id="Microsoft.Owin" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Owin.Host.HttpListener" version="2.1.0" targetFramework="net45" />
  <package id="Microsoft.Owin.Host.SystemWeb" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Owin.Hosting" version="2.1.0" targetFramework="net45" />
  <package id="Microsoft.Owin.Security" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Owin.Security.Cookies" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Owin.Security.Jwt" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Owin.Security.OAuth" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Owin.Security.WsFederation" version="3.0.0-beta2-30612-073-dev" targetFramework="net45" />
  <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
  <package id="Modernizr" version="2.6.2" targetFramework="net45" />
  <package id="Newtonsoft.Json" version="5.0.6" targetFramework="net45" />
  <package id="Owin" version="1.0" targetFramework="net45" />
  <package id="Respond" version="1.2.0" targetFramework="net45" />
  <package id="System.IdentityModel.Tokens.Jwt" version="4.0.0-Beta2-10610-1317" targetFramework="net45" />
  <package id="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry" version="4.5.1" targetFramework="net45" />
  <package id="WebGrease" version="1.5.2" targetFramework="net45" />
</packages>
Jun 16, 2014 at 12:27 AM
It looks like Microsoft.Owin, and Microsoft.Owin.Host.HttpListener and Microsoft.Owin.Hosting were not in sync. Once I upgraded them I got a new error from System.IdentityModel.Tokens.Jwt. It looks like the beta version of the JwtTokenHandler is not working correctly with Symmetric keys:
[IndexOutOfRangeException: Index was outside the bounds of the array.]
   System.IdentityModel.Tokens.SymmetricSignatureProvider.AreEqual(Byte[] a, Byte[] b) +131
   System.IdentityModel.Tokens.SymmetricSignatureProvider.Verify(Byte[] input, Byte[] signature) +449
   System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm) +449
   System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) +2730

[SignatureVerificationFailedException: IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey
'.
Exceptions caught:
 'System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at System.IdentityModel.Tokens.SymmetricSignatureProvider.AreEqual(Byte[] a, Byte[] b)
   at System.IdentityModel.Tokens.SymmetricSignatureProvider.Verify(Byte[] input, Byte[] signature)
   at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm)
   at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
'.
token: '{"typ":"JWT","alg":"HS256"}.{"aud":"https://localhost:44301/","iss":"https://monitortest.accesscontrol.windows.net/","nbf":1402799632,"exp":1402800232,"nameid":"9GrFVLfgpVjdvdb9GJVvH0aWsiSx4oaO5NLm8EePzSs=","identityprovider":"uri:WindowsLiveID"}
RawData: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdDo0NDMwMS8iLCJpc3MiOiJodHRwczovL21vbml0b3J0ZXN0LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQvIiwibmJmIjoxNDAyNzk5NjMyLCJleHAiOjE0MDI4MDAyMzIsIm5hbWVpZCI6IjlHckZWTGZncFZqZHZkYjlHSlZ2SDBhV3NpU3g0b2FPNU5MbThFZVB6U3M9IiwiaWRlbnRpdHlwcm92aWRlciI6InVyaTpXaW5kb3dzTGl2ZUlEIn0.JyMOISXVT9IDSwaXY-xFZ6WCdOeRjO1jikl17_kACYY']
   System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) +3293
   System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) +561
   Microsoft.IdentityModel.Extensions.SecurityTokenHandlerCollectionExtensions.ValidateToken(SecurityTokenHandlerCollection tokenHandlers, String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) +365
   Microsoft.Owin.Security.WsFederation.<AuthenticateCoreAsync>d__1e.MoveNext() +4143
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22
   Microsoft.Owin.Security.WsFederation.<AuthenticateCoreAsync>d__1e.MoveNext() +6762
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
   Microsoft.Owin.Security.Infrastructure.<BaseInitializeAsync>d__0.MoveNext() +809
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +427
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   VortexLogger.<Invoke>d__3.MoveNext() in c:\Users\mukav\Documents\Visual Studio 2013\Projects\VortexLogger\Logger.cs:48
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +937
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   VortexLogger.<Invoke>d__3.MoveNext() in c:\Users\mukav\Documents\Visual Studio 2013\Projects\VortexLogger\Logger.cs:48
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +287
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<DoFinalWork>d__2.MoveNext() +272
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22
   Microsoft.Owin.Host.SystemWeb.Infrastructure.ErrorState.Rethrow() +33
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +150
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +42
   System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +415
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Coordinator
Jun 16, 2014 at 4:58 PM
That's problematic. I've forwarded this to the IdentityModel owners for triage.
Jun 17, 2014 at 1:45 PM
Strange. The project I'm working on uses InMemorySymmetricSecurityKey with System.IdentityModel.Tokens.Jwt (version 4.0.0-Beta2-10610-1317) and it works nicely.

How are you constructing your InMemorySymmetricSecurityKey?
Jun 17, 2014 at 6:21 PM
It is getting set as part of the token validation parameters that I pass to the WS-Federation middleware. The full code is in my original post , but I have pasted the snippet below for convenience.
 var wsfederationOptions = new WsFederationAuthenticationOptions
            {
                MetadataAddress = System.Configuration.ConfigurationManager.AppSettings["ida:FederationMetadataLocation"],
                Wtrealm = System.Configuration.ConfigurationManager.AppSettings["ida:Realm"],
                
                SecurityTokenHandlers = new System.IdentityModel.Tokens.SecurityTokenHandlerCollection(),
                TokenValidationParameters = new TokenValidationParameters
                {
                    IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(SymmetricKey)),
                    ValidIssuer = System.Configuration.ConfigurationManager.AppSettings["ida:Issuer"],
                    ValidAudience = System.Configuration.ConfigurationManager.AppSettings["ida:AudienceUri"],
                    ValidateAudience = true,
                    IssuerValidator = (issuer,token) =>true,
                },             
            };
I did try replacing
IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(SymmetricKey)),
with
IssuerSigningKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(SymmetricKey)),
but it continues to throw the same exception.
Jun 17, 2014 at 6:29 PM
Yeah, I saw that. But how did you generate the key itself?
And BTW, what's your key size?
Jun 17, 2014 at 6:38 PM
The key size as in character length?
The key is 44 characters in length. The key is for a personal access control namespace & relying party in azure and was generated by ACS.
Jun 17, 2014 at 6:46 PM
Edited Jun 17, 2014 at 7:05 PM
Forget what I said, I checked the old app that was using ACS and the base64-encoded key makes indeed 44 chars (with the ending =), which corresponds to the key length used by ACS (256 bits).
Jun 17, 2014 at 7:08 PM
Am fairly certain the key is correct. It works fine with JwtBearerAuthentication, the problem seems to be with wsfederation specifically.



Here is the key, that I am using right now, that was generated by azure:
VBXaiTgljPw8BfPSs9ancPbm1wMi45XV9S0SLsBF2+Q=
Jun 17, 2014 at 7:15 PM
Weird. JwtBearerAuthentication also uses the JwtSecurityTokenHandler internally. If it works with JwtBearerAuthentication, I don't see why it wouldn't with your WS-Fed MW, configured with JWT.

I'll try to make a demo app to see if I can reproduce your issue.
Jun 17, 2014 at 7:24 PM
Edited Jun 17, 2014 at 8:08 PM
Could you try inserting your key in WsFederationAuthenticationOptions.Configuration.SigningKeys instead of TokenValidationParameters.IssuerSigningKey? The WS-Fed MW has been updated during the last few months to support WsFederationConfiguration, there may be a bug there.

Edit: I tried reproducing your issue using a tweaked WCF/WIF identity provider issuing JWT tokens but I was not able to. Maybe you should upload a repro somewhere. I'll ask a coworker tomorrow to see if we can reproduce your issue using ACS.
Jun 17, 2014 at 8:51 PM
As suggested, tried replacing the configuration with the following code:
var wsfederationOptions = new WsFederationAuthenticationOptions
            {
                MetadataAddress = System.Configuration.ConfigurationManager.AppSettings["ida:FederationMetadataLocation"],
                Wtrealm = System.Configuration.ConfigurationManager.AppSettings["ida:Realm"],

                SecurityTokenHandlers = new System.IdentityModel.Tokens.SecurityTokenHandlerCollection(),
               Configuration = new Microsoft.IdentityModel.Protocols.WsFederationConfiguration(),
               

            };
            var tokenHandler = new CustomJwtSecurityTokenHandler();
            wsfederationOptions.Configuration.Issuer = System.Configuration.ConfigurationManager.AppSettings["ida:Issuer"];
            wsfederationOptions.Configuration.SigningKeys.Add(new InMemorySymmetricSecurityKey(Convert.FromBase64String(SymmetricKey)));
Still throws the same error.

-Mukund
Jun 19, 2014 at 4:28 PM
Were you able to repro the issue with ACS?
Where can I get the symbol files for the nightly dev build? I'd like to see if I can step into the code and figure out whats wrong with it.
Coordinator
Jun 19, 2014 at 5:14 PM
Here's how to get symbols:
http://katanaproject.codeplex.com/wikipage?title=Debugging&referringTitle=Documentation

I think there's a related feed for nightly symbols.
Jun 19, 2014 at 6:00 PM
masterkidan wrote:
Were you able to repro the issue with ACS?
Where can I get the symbol files for the nightly dev build? I'd like to see if I can step into the code and figure out whats wrong with it.
Sadly no, I asked a coworker to configure a RP app for me but he forgot to select JWT for the token type...
It worked with SAML2 tokens but I couldn't test with JWT yet.

Have you tested SAML2 tokens?
Jun 19, 2014 at 9:09 PM
Unfortunately, I have a requirement to use JWT. Using SAML2 tokens is out of the question.
Jun 25, 2014 at 5:57 PM
I am unable to step into the piece of code that is throwing the exception. Is there a way I can get access to the debug builds? Have you had any luck with JWT + ACS?
Jun 25, 2014 at 6:40 PM
Hey,
Was looking through the source for JwtSecurityTokenHandler on http://dotnetinside.com/en/type/System.IdentityModel.Tokens.Jwt/SymmetricSignatureProvider/4.0.0.0

Noticed the following piece of code (which is where I am getting the exception):
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
        private static bool AreEqual(byte[] a, byte[] b)
        {
            int num = 0;
            byte[] array;
            byte[] array2;
            if (a == null || b == null || a.Length != b.Length)
            {
                array = SymmetricSignatureProvider.bytesA;
                array2 = SymmetricSignatureProvider.bytesB;
            }
            else
            {
                array = a;
                array2 = b;
            }
            for (int i = 0; i < a.Length; i++)
            {
                num |= (int)(array[i] ^ array2[i]);
            }
            return num == 0;
        }
Shouldn't the for loop be for array.length ? Looking at the logic, it seems that a.length may not always be equal to array.length.
Coordinator
Jun 26, 2014 at 4:30 PM
Agreed. This has been reported to them before, but I've filed https://github.com/MSOpenTech/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/17 to make sure they follow up.
Marked as answer by masterkidan on 6/30/2014 at 10:38 AM
Jun 27, 2014 at 6:19 PM
Thanks! I just ran into this issue this morning.
Developer
Jul 11, 2014 at 2:39 AM
Fixing this now. It can be picked up from myget shortly, or if we do RC3 or GA.