TokenValidationParameters.set_AllowedAudiences MissingMethodException

Sep 22, 2014 at 1:20 PM
This may be related to System.IdentityModel.Tokens.Jwt or it might be due to Azure .NET Backend services.

Basically I have followed http://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/ and in version 3.0.0 which I have reverted back to everything works fine. When it is upgraded to version 4.0.0 along with the latest version of the Azure Mobile Backend Services it never authorizes correctly when calling a WebAPI 2.2 MVC controller

Example:
  public class GuestController : TableController<guest_Stay>
    {

         [AuthorizeLevel(AuthorizationLevel.User)]      
        public async Task<IHttpActionResult> PostGuest(guest_Stay item)
        {
So I went digging deep to see where it was failing.

In Microsoft.WindowsAzure.Mobile.Service.Security.ServiceTokenHandler

There is a method called TryValidateLoginToken (used dotPeek to see what was here)
public virtual bool TryValidateLoginToken(string token, string secretKey, out ClaimsPrincipal claimsPrincipal)
    {
      if (token == null)
        throw new ArgumentNullException("token");
      if (secretKey == null)
        throw new ArgumentNullException("secretKey");
      TokenValidationParameters validationParams = new TokenValidationParameters();
      validationParams.set_AllowedAudience("urn:microsoft:windows-azure:zumo");
      validationParams.set_ValidateIssuer(true);
      validationParams.set_ValidIssuer("urn:microsoft:windows-azure:zumo");
      return ServiceTokenHandler.TryValidateToken(validationParams, token, secretKey, out claimsPrincipal);
    }
Inside here it sets the TokenValidationParameters and on set_AllowedAudience it causes the MissingMethodException.

So I wrote up my own method as below yet this worked fine
internal static bool TryValidateToken(TokenValidationParameters validationParams, string tokenString, string secretKey, out ClaimsPrincipal claimsPrincipal)
{
     claimsPrincipal = (ClaimsPrincipal)null;

     validationParams = new TokenValidationParameters();

     validationParams.ValidAudience = "urn:microsoft:windows-azure:zumo";
     validationParams.ValidateIssuer = true;
     validationParams.ValidIssuer = "urn:microsoft:windows-azure:zumo";

     BinarySecretSecurityToken secretSecurityToken = new          BinarySecretSecurityToken(ServiceTokenHandler.GetSigningKey(secretKey));

     validationParams.IssuerSigningToken = (SecurityToken)secretSecurityToken;

     JwtSecurityTokenHandler securityTokenHandler = new JwtSecurityTokenHandler();
     SecurityToken token = null;
     try
     {
     claimsPrincipal = securityTokenHandler.ValidateToken(tokenString, validationParams, out token);
      }
     catch (SecurityTokenException ex)
     {
          return false;
     }
     catch (ArgumentException ex)
    {
           return false;
     }

      return true;
      }
The only reason I thought it might be a Katana issue is because this problem is very similar to https://katanaproject.codeplex.com/discussions/545113

It is also confusing because I am using 2.1.0 successfully, it is only when I upgrade to the latest version that things go wrong.
Coordinator
Sep 22, 2014 at 2:08 PM
Can you share your packages.config? It sounds like your dependencies are out of sync.
Sep 22, 2014 at 3:17 PM
<packages>
  <package id="Autofac" version="3.5.2" targetFramework="net451" />
  <package id="AutoMapper" version="3.2.1" targetFramework="net45" />
  <package id="EntityFramework" version="6.1.1" targetFramework="net45" />
  <package id="Microsoft.AspNet.Cors" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.Identity.Core" version="2.1.0" targetFramework="net451" />
  <package id="Microsoft.AspNet.Identity.Owin" version="2.1.0" targetFramework="net451" />
  <package id="Microsoft.AspNet.Razor" version="3.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.Client" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.Core" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.Cors" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.OData" version="5.3.0" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.Owin" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.Tracing" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.AspNet.WebApi.WebHost" version="5.2.2" targetFramework="net451" />
  <package id="Microsoft.Data.Edm" version="5.6.2" targetFramework="net45" />
  <package id="Microsoft.Data.OData" version="5.6.2" targetFramework="net45" />
  <package id="Microsoft.Owin" version="3.0.0" targetFramework="net45" />
  <package id="Microsoft.Owin.Host.SystemWeb" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security" version="3.0.0" targetFramework="net45" />
  <package id="Microsoft.Owin.Security.ActiveDirectory" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security.Cookies" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security.Facebook" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security.Google" version="3.0.0" targetFramework="net45" />
  <package id="Microsoft.Owin.Security.Jwt" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security.MicrosoftAccount" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security.OAuth" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.Owin.Security.Twitter" version="3.0.0" targetFramework="net451" />
  <package id="Microsoft.WindowsAzure.ConfigurationManager" version="2.0.3" targetFramework="net45" />
  <package id="Newtonsoft.Json" version="6.0.5" targetFramework="net451" />
  <package id="Owin" version="1.0" targetFramework="net45" />
  <package id="RazorEngine" version="3.4.1" targetFramework="net45" />
  <package id="System.IdentityModel.Tokens.Jwt" version="4.0.0" targetFramework="net451" />
  <package id="System.Spatial" version="5.6.2" targetFramework="net45" />
  <package id="WindowsAzure.MobileServices.Backend" version="1.0.348" targetFramework="net451" />
  <package id="WindowsAzure.MobileServices.Backend.Entity" version="1.0.348" targetFramework="net451" />
  <package id="WindowsAzure.MobileServices.Backend.Tables" version="1.0.348" targetFramework="net451" />
  <package id="WindowsAzure.ServiceBus" version="2.4.3.0" targetFramework="net451" />
</packages>
Coordinator
Sep 24, 2014 at 9:18 PM
Oh yuck. It looks like there was a breaking change in System.IdentityModel.Tokens.Jwt between v1.0 and v4.0. Katana v3 references JWT v4, but WindowsAzure.MobileServices.Backend references JWT v1. You won't be able to use both in the same app until mobile services updates to use JWT v4. I'll contact them about the break.