-
Notifications
You must be signed in to change notification settings - Fork 413
IDX10720
If you receive the following exception such as: `"IDX10720: Unable to create KeyedHashAlgorithm for algorithm 'SHA256', the key size must be greater than: '256' bits, key has '128' bits. See https://aka.ms/IdentityModel/UnsafeRelaxHmacKeySizeValidation".
This means that you have specified to use HMAC256 as a crypto algorithm, but you have provided a key for this algorithm that is shorter than required. This means that you are less secure than you think!
The numbers and name of the algorithm can vary (HS256 requires 256 bits, HS384 requires 384 bits, HS512 requires 512 bits.). See: https://datatracker.ietf.org/doc/html/rfc7518#section-3.2 for details.
Microsoft.IdentityModel 6.30.1 we have fixed this security issue (Enforce key sizes when creating HMAC) to ensure security is at the desired level. This ensures you conform with the specification.
-
If you receive this exception the best practice is to increase the size of your key with the suggested number of bits.
-
If you really cannot act immediately, you can set a feature flag to bypass this security check. We encourage you, however, to address the root cause as soon as possible. To set this feature flag, update your configuration file. For instance if your configuration is an appsettings.json file, use
<appSettings> <add key="AppContext.SetSwitch:Switch.Microsoft.IdentityModel.UnsafeRelaxHmacKeySizeValidation" value="true" /> </appSettings>
See this article AppContext for library consumers for all the ways you can enable this switch in your application.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over