Home JSON Web Token validity verification passed on .NET Core but failed on .NET 4.6.1
Reply: 1

JSON Web Token validity verification passed on .NET Core but failed on .NET 4.6.1

kat1330 Published in 2017-11-14 20:51:11Z

I am trying to varify validity of JSON Web Token in both .NET Core and .NET 4.6.1 by using Microsoft.IdentityModel.Tokens library. I dug into source code and noticed that AsymmetricSignatureProvider differently handle signaure verification in method bool Verify(byte[] input, byte[] signature) for .NET Core and other versions, which is also place where my verification failed. You can find source code in this link.

In general I am first downloading JSON Web Key Sets, then I am building security keys and last I am building TokenValidationParameters and validating token.

My code starts here

Downloading JSON Web Key Sets:

string data = null;
using (WebClient client = new WebClient())
    data = client.DownloadString(URL_TO_JWKS);

var jwks = new JsonWebKeySet(data);

Here I am building security keys from JSON Web Key Sets. Please notice how I decoding exponent and modulus, maybe is wrong in .NET 4.1.6:

    var keys = new List<SecurityKey>();
    foreach (var webKey in jwks.Keys)
         var e = Base64UrlEncoder.DecodeBytes(webKey.E);
         var n = Base64UrlEncoder.DecodeBytes(webKey.N);
         var key = new RsaSecurityKey(new RSAParameters { Exponent = e, Modulus = n })
             KeyId = webKey.Kid


Here I am verifying token:

var token = new JwtSecurityToken(tokenString);
ClaimsPrincipal claimsPrincipal = null;

            var parameters = new TokenValidationParameters()
                ValidAudiences = token.Audiences,
                IssuerSigningKeys = keys,
                NameClaimType = nameClaimType ?? JwtRegisteredClaimNames.Sub,
                ValidIssuers = new[] { token.Issuer }

            bool isValid = false;

                string jwt = token.RawData;
                SecurityToken securityToken = null;
                claimsPrincipal = new JwtSecurityTokenHandler().ValidateToken(jwt, parameters, out securityToken);
                isValid = claimsPrincipal.Identity.IsAuthenticated;
            catch (SecurityTokenExpiredException)
            catch (SecurityTokenInvalidSignatureException ex)

What is correct way to verify validity for both .NET 4.6.1 and .NET Core?

kat1330 Reply to 2017-12-04 20:01:32Z

Thanks to lovemaths and brentschmaltz.

This behaviour happened because .net 4.6.1 doesn't remove leading 0x00. Pull request is already merged and it will be available in version 5.2.0.

For more details please visit issues on github.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.592961 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO