I am going through the extremely painful process of updating a .NET core 1.1 MVC web service which has been in production, untouched, for 9 years. I'm attempting to convert to .NET 8.0. I'm trying to get the service to validate AWS Cognito bearer tokens. I have the issuer configured properly (I verify the string exactly matches the iss field in the decoded JWT) but I simply see this in the debug output:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Debug: AuthenticationScheme: Bearer was not authenticated.
I have default logging level set to trace as well as calling out trace for individual components:
{ "Logging": { "IncludeScopes": false, "LogLevel": { "Default": "Trace", "System": "Trace", "Microsoft": "Trace", "Microsoft.AspNetCore": "Trace", "Microsoft.AspNetCore.Authentication": "Trace" } } }
and I have set various JwtBearer options that would appear to increase information:
options.TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = true,
RequireExpirationTime = true,
ClockSkew = new TimeSpan(0, 15, 0),
RequireAudience = false,
ValidateAudience = false,
ValidateLifetime = true,
ValidateIssuer = true,
ValidIssuer = "proper aws url",
**LogValidationExceptions = true,
LogTokenId = true,**
};
options.UseSecurityTokenValidators = true;
**options.IncludeErrorDetails = true;**
Yet the tracing produced seems extremely limited (one line) and unspecific. This seems crazy, I must be missing something. How can I debug this to figure out where the validation is going wrong? Is there some way to insert my own passthrough class into this chain so I can at least see which function is failing, what it is taking for params, etc?
In .net8 setting up authentication you need to add authentication scheme and JWT Bearer :
var builder = WebApplication.CreateBuilder(args);
builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opt =>
{
var configManager = new
ConfigurationManager<OpenIdConnectConfiguration>(
settings.DiscoveryUrl,
new OpenIdConnectConfigurationRetriever());
opt.RequireHttpsMetadata = true;
opt.SaveToken = true;
opt.ConfigurationManager = configManager;
opt.TokenValidationParameters = new TokenValidationParameters
{
ClockSkew = TimeSpan.FromMinutes(3),
ValidateLifetime = true,
ValidateIssuer = true,
ValidIssuer = settings.Issuer,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidAudiences = settings.Audience,
NameClaimType = ClaimTypes.Upn
};
});
services.AddAuthorizationCore(opt =>
{
//Your policies here
});
// Other configuration
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();