JwtSecurityTokenHandler.ReadJwtToken is not reading the issuer

[abhaysharma3021]

Hi,

I'm using ASP.NET Core 8 Web API, and I encountered an "Unauthorized" error with the token I generated. While debugging, I discovered that JwtSecurityTokenHandler.ReadJwtToken is not reading the iss claim from the token. However, when I checked the same token on the jwt.io website, I could see the iss claim present. I'm confused about what's happening. Below, I'm attaching a sample of the code for reference.

This is the GenerateToken function, where I'm writing the token and reading it immediately to debug what the issue is.

private string GenerateToken(User user)
{
    var jwtSettings = _configuration.GetSection("Jwt");
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings["key"]!));
    var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature);

    var issuer = jwtSettings["Issuer"]!;
    var audience = jwtSettings["Audience"]!;

    // Define token claims
    var claims = new List<Claim>
    {
        new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
        new Claim(ClaimTypes.Email, user.Email.ToString()),
        new Claim(ClaimTypes.Name, $"{user.Name}")
    };

    foreach(var roles in user.UserRoles)
    {
        claims.Add(new Claim(ClaimTypes.Role, roles.Role.Name));
    }

    // SecurityTokenDescriptor for generating the token
    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = new ClaimsIdentity(claims),
        Expires = DateTime.UtcNow.AddDays(double.Parse(jwtSettings["ExpiresInDays"]!)),
        Issuer = issuer.Trim(),
        Audience = audience.Trim(),
        SigningCredentials = credentials
    };

    var tokenHandler = new JwtSecurityTokenHandler();

    // Create and write token
    var token = tokenHandler.CreateToken(tokenDescriptor);
    var writtenToken = tokenHandler.WriteToken(token); 

    // Read back the token
    var jwtToken = tokenHandler.ReadJwtToken(writtenToken);

    return tokenHandler.WriteToken(token);
}

token variable value:

{
    "alg": "HS256",
    "typ": "JWT"
}
{
    "nameid": "52bab80c-422c-4ac3-88bc-a960f55b7e59",
    "email": "[email protected]",
    "unique_name": "Abhay Sharma",
    "role": "Admin",
    "nbf": 1731044568,
    "exp": 1731649365,
    "iat": 1731044568,
    "iss": "https://localhost:7039",
    "aud": "https://localhost:7039"
}

jwtToken variable value:

{
    "alg": "HS256"
}
{
    "nameid": "52bab80c-422c-4ac3-88bc-a960f55b7e59",
    "unique_name": "Abhay Sharma",
    "nbf": 1731044568,
    "iat": 1731044568,
    "aud": "https://localhost:7039"
}

When reading the same token, it does not show the iss. Due to this, when validating the token, I always get an error.

[cpriestland]

This seems to be happening because the package Microsoft.AspNetCore.Authentication.JwtBearer version 8.0.11 is implicitly referencing System.IdentityModel.Tokens.Jwt which is currently version 8.2.1. They need to update Microsoft.AspNetCore.Authentication.JwtBearer to update System.IdentityModel.Tokens.Jwt to version 8.2.1.

If you install the dependency directly, it fixes the issue. We had this issue in multiples of our services. I +1 for getting this package updated.

[jennyf19]

Thanks for the assessment @cpriestland

@abhaysharma3021 please follow this issue for updates: #2513