Microsoft.IdentityModel.Protocols.OpenIdConnect version 7+ does not read at least couple of properties (Issuers, IssuerSigningKeys JwksUri)

[eirikurharaldsson]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

There is a bug in

This worked in version 6 and below.

This also affects the JwtBearer package which depends on OpenIdConnect (When JwtBearer is upgraded to version 8, you will be using 7.0.3 of OpenIdConnect)

version 7+

Expected Behavior

By using our Console app example (in Steps to Reproduce)
JwksUri has value and is written to the screen. (Expected)
same goes for Issuers and SigningKeys (Expected)
This used to work in version 6. But broke in version 7+

Steps To Reproduce

Console app to reproduce the problem:
Install nuget package Microsoft.IdentityModel.Protocols.OpenIdConnect 7.0.3

var jwtAuthority = "https://[youropenidserver]/oauth/v2/oauth"; // without the "/.well-known/openid-configuration" part

var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(
       $"{jwtAuthority}/.well-known/openid-configuration",
          new OpenIdConnectConfigurationRetriever(),
             new HttpDocumentRetriever(new HttpClient()));

// GetConfigurationAsync has a time interval that must pass before new http request will be issued.
var configuration = await configManager.GetConfigurationAsync(new CancellationToken());

Console.WriteLine(configuration.JwksUri);

var issuers = new[] { configuration.Issuer };
var issuerSigningKeys = configuration.SigningKeys;

foreach (var issuer in issuers)
{
    Console.WriteLine(issuer);
}

foreach (var issuerSigningKey in issuerSigningKeys)
{
    Console.WriteLine(issuerSigningKey);
}

Exceptions (if any)

No response

.NET Version

8

Anything else?

No response

[DyByronWu]

I've encountered the same issue. Is there a solution?

[hughnatt]

I've encountered the same issue. Is there a solution?

@DyByronWu See the following thread : #52296 (comment)

[halter73]

Based on your repro, it looks like there is no aspnetcore dependency in your app. The GitHub repo for Microsoft.IdentityModel.Protocols.OpenIdConnect and other Microsoft.IdentityModel packages is at https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet, so I encourage you to file this issue there if you're still having issues. I would transfer it myself, but that's not possible between GitHub orgs.

I saw that you mentioned that this is the same issue as #52296. If that's the case, I think there is a misunderstanding. The OpenIdConnectHandler and JwtBearerHandler both work when given just an authority. I described in my last comment before closing the issue how the change is just that metadata is retrieved lazily.

I don't see why your repro code is working for you. It's simple enough, I tried it myself even though I don't work on IdentityModel directly, and everything seems to work with "https://login.microsoftonline.com/common/v2.0/" as my jwtAuthority.

> dotnet run
Hello, World!
https://login.microsoftonline.com/common/discovery/v2.0/keys
https://login.microsoftonline.com/{tenantid}/v2.0
Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'kWbkaa6qs8wsTnBwiiNYOhHbnAw', InternalId: 'kWbkaa6qs8wsTnBwiiNYOhHbnAw'.
Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'kWbkaa6qs8wsTnBwiiNYOhHbnAw', InternalId: 'TQNGfjqX8XPP8WW7cymNSbBHa59FX0ZGfYxgfvqi_tI'.
Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'XRvko8P7A3UaWSnU7bM9nT0MjhA', InternalId: 'XRvko8P7A3UaWSnU7bM9nT0MjhA'.
Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'XRvko8P7A3UaWSnU7bM9nT0MjhA', InternalId: 'cA2ujvhrB0H4CQvjDUTiEpy0X5qyrwcl-L3gq76tzKU'.
Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'qor_VePWgmxWy3r1dpfsWsw2-zY', InternalId: 'qor_VePWgmxWy3r1dpfsWsw2-zY'.
Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'qor_VePWgmxWy3r1dpfsWsw2-zY', InternalId: '6gTfcdedQPoBFusIK8iZMS9SvB5VpbvKoJWlfSsht2k'.
Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '2Spohh9y2me52nKrhai7GxWJibU', InternalId: '2Spohh9y2me52nKrhai7GxWJibU'.
Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: '2Spohh9y2me52nKrhai7GxWJibU', InternalId: '-j5L-o3PHcPm5SoapKUpGDlXEwgc7ZC_JjP2QWu_FAI'.
Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'tR4wkYhHxHo_qeprS08Cuw8xcOw', InternalId: 'tR4wkYhHxHo_qeprS08Cuw8xcOw'.
Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'tR4wkYhHxHo_qeprS08Cuw8xcOw', InternalId: 'PqPqo8eUWe7LXZoOlXgNhN20EXHDHveU4JwKri_Z29g'.

[eirikurharaldsson]

@halter73 Why are you closing this issue?
You are right this works with microsoftonline Idp.
I looked into what was different in my metadata vs the microsoftonline one.
I hosted a local file and removed json elements until GetConfigurationAsync returned the JwksUri
When i removed the mtls_endpoint_aliases, GetConfigurationAsync was able to return the JwksUri from the metadata.

The parsing behind OpenConfigurationRetriver, has problems parsing this section, seems to be much more strict on what properties are supported with what types.
Identity servers like: PingIdentity, Auth0 and Curity already support this section in the OpenId metadata, so this have to be supported by the OpenId package.

Example of the section:
"mtls_endpoint_aliases": {
"token_endpoint": "https://idpserver/oauth/v2/oauth-token",
"revocation_endpoint": "https://idpserver/oauth/v2/oauth-revoke",
"introspection_endpoint": "https://idpserver/oauth/v2/oauth-introspect",
"pushed_authorization_request_endpoint": "https://idpserver/oauth/v2/oauth-authorize/par",
"userinfo_endpoint": "https://idpserver/oauth/v2/oauth-userinfo"
},

Everything after this section is ignored by OpenConfigurationRetriver
See below:

[halter73]

Can you please file the issue at https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet with a reference to this issue and details about "mtls_endpoint_aliases"? That's where OpenIdConnectConfigurationRetriever lives, so any fixes will have to be done there.

[eirikurharaldsson]

They have currently fixed some critical bugs along with this one in version 7.4.0 of OpenIdConnect package.

I would recommend that the JwtBearer package will be update to use 7.4.0 OpenIdConnect package. It´s now using this: Microsoft.IdentityModel.Protocols.OpenIdConnect/ (>= 7.1.2)

a workaround is installing Microsoft.IdentityModel.Protocols.OpenIdConnect version 7.4.0 of after installing JwtBearer package.