Validating JWT signed with hmac-sh256

Nov 7, 2014 at 4:07 PM
I am working on a project to use the Katana OpenID Connect middleware to authenticate with a third party (OpenAM) provider. The provider is signing the JWT with hmac-sh256. When the OpenID middleware is validating the JWT via a call to ValidateToken it is throwing the following exception:

{"IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey\r\n'.\nExceptions caught:\n 'System.InvalidOperationException: IDX10618: AsymmetricSecurityKey.GetHashAlgorithmForSignature( 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' ) threw an exception.\nAsymmetricSecurityKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256', check to make sure the SignatureAlgorithm is supported.\nException: 'System.NotSupportedException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' not supported in this context.\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetHashAlgorithmForSignature(String algorithm)\r\n at ......

What am I missing or does the default SecurityTokenHandler really not support that algorithm?

Thanks,

Gordon
Developer
Nov 7, 2014 at 9:42 PM
hmacsha256 requires a SymmetricSecurityKey. How are you setting the keys / tokens on TokenValidationParameters?
Nov 7, 2014 at 9:56 PM
I am setting like this:
TokenValidationParameters = new TokenValidationParameters()
{
     IssuerSigningKeys = new List<SecurityKey>() { new X509SecurityKey(cert) }
}
The token is signed with a certificate. I am very new to this so any help you can give is appreciated.
Developer
Nov 7, 2014 at 10:32 PM
Can you share the jwt OR the jwtHeader?
Nov 7, 2014 at 10:37 PM
Here is the header:
 {
     alg: "HS256",
     cty: "JWT",
     typ: "JWT"
}. 
Developer
Nov 7, 2014 at 11:00 PM
Does OpenAM have a discovery endpoint? How do you know the jwt is signed with a cert (I assume x509)
Nov 10, 2014 at 2:27 PM
Edited Nov 10, 2014 at 2:43 PM
We are implementing OpenAM internally. We are the ones providing the cert. Right now there is an issue with OpenAM returning a proper value in the jwks_uri. To work around that I am adding the cert in the TokenValidationParameters.
Developer
Nov 11, 2014 at 3:14 PM
What is happening is the alg 'HS256' is not recognized by the X509AsymmetricSecurityKey as a supported algorithm. If the alg in the header was: RS256 then the X509AsymmetricSecurityKey would find the algorithm.

Since you implement OpenAM, why is the alg set to 'HS256' ?
Marked as answer by gdgudmundson on 11/11/2014 at 9:53 AM
Nov 11, 2014 at 4:53 PM
The version of OpenAM we are using only supports HS256. A soon to release version is going to support RS256. It sounds like what we may need to do is implement a shared symmetric key until then. I will have to check with our team to see if they support that. Thanks!