-
Notifications
You must be signed in to change notification settings - Fork 413
IDX10625
If you receive the following exception: `"IDX10625: Failed to verify authenticationTag, the actual tag length '36' does not match the expected tag length '32'. authenticationTag: 'XFBoMYUZodetZdvTiFvSkQCsdfawerwWqXez', algorithm: 'A256CBC-HS512'. See: https://aka.ms/IdentityModel/SkipAuthenticationTagLengthValidation".
This means that the authenticationTag has likely been altered.
The expected authenticationTag lengths can vary based on algorithm:
Supported Algorithms | Expected Auth Tag size |
---|---|
Aes128Gcm | 16 bytes |
Aes192Gcm | 16 bytes |
Aes256Gcm | 16 bytes |
Aes128CbcHmacSha256 | 16 bytes |
Aes192CbcHmacSha384 | 24 bytes |
Aes256CbcHmacSha512 | 36 bytes |
Microsoft.IdentityModel 7.5.2 we have fixed this bug (Verify authentication tag length). This ensures you conform with the specification.
-
If you receive this exception, this means that the authentication tag has been altered. Do not alter the authentication tag or append any characters to the end of a JWE.
-
If you really cannot act immediately, you can set a feature flag to bypass this security check. We encourage you, however, to not bypass this check. To set this feature flag, update your configuration file. For instance if your configuration is an appsettings.json file, use
<appSettings> <add key="AppContext.SetSwitch:Switch.Microsoft.IdentityModel.SkipAuthenticationTagLengthValidation" value="true" /> </appSettings>
See this article AppContext for library consumers for all the ways you can enable this switch in your application.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over