Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MissingMethodException while HandleAuthenticateAsync in JwtBearerHandler #14252

Closed
knoxi opened this issue Sep 23, 2019 · 18 comments
Closed

MissingMethodException while HandleAuthenticateAsync in JwtBearerHandler #14252

knoxi opened this issue Sep 23, 2019 · 18 comments
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue.

Comments

@knoxi
Copy link

knoxi commented Sep 23, 2019
edited
Loading

Describe the bug

I get a MissingMethodException when validating a JWT token while accessing an API controller which needs authorization.

To Reproduce

Steps to reproduce the behavior:

  1. Using the latest version of ASP.NET Core '3.0.0-rc1.19457.4'
  2. Use the JWT bearer middleware in startup: services.AddJwtBearer()
  3. access an API with needs authorization with a valid token
  4. While validating the JWT bearer token, the error "MissingMethodException" appears

Screenshots

2019-09-23 13_01_02-MissingMethodException_1
@blowdart blowdart added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Sep 23, 2019
@blowdart
Copy link
Contributor

@Tratcher ?

@Tratcher
Copy link
Member

@knoxi this primarily happens when mixing incompatible dependency versions. Please share your full dependency list.

@knoxi
Copy link
Author

knoxi commented Sep 25, 2019

@Tratcher
good hint, we are using the newest preview of the OpenIddict library. It seems that this library uses a preview version of Microsoft.IdentityModel.JsonWebTokens.

Here is the dependency list of the asp.net core application:

  [.NETCoreApp,Version=v3.0]
  Corp.DataAccess.Common, v0.10.5-beta-0004
    Corp.DependencyInjection.Common, v0.10.5-beta-0004
      System.ComponentModel, v4.3.0
    AutoMapper, v9.0.0
      Microsoft.CSharp, v4.6.0
      System.Reflection.Emit, v4.3.0
    System.Linq, v4.3.0
    System.Linq.Queryable, v4.3.0
  Corp.DataAccess.EntityFramework, v0.10.5-beta-0004
    Corp.DataAccess.Common, v0.10.5-beta-0004
      Corp.DependencyInjection.Common, v0.10.5-beta-0004
        System.ComponentModel, v4.3.0
      AutoMapper, v9.0.0
        Microsoft.CSharp, v4.6.0
        System.Reflection.Emit, v4.3.0
      System.Linq, v4.3.0
      System.Linq.Queryable, v4.3.0
    Corp.DependencyInjection.Common, v0.10.5-beta-0004
      System.ComponentModel, v4.3.0
    Corp.Modularity.Common, v0.10.5-beta-0004
      Corp.DataAccess.Common, v0.10.5-beta-0004
        Corp.DependencyInjection.Common, v0.10.5-beta-0004
          System.ComponentModel, v4.3.0
        AutoMapper, v9.0.0
          Microsoft.CSharp, v4.6.0
          System.Reflection.Emit, v4.3.0
        System.Linq, v4.3.0
        System.Linq.Queryable, v4.3.0
      Corp.DependencyInjection.Common, v0.10.5-beta-0004
        System.ComponentModel, v4.3.0
      System.Threading.ThreadPool, v4.3.0
    Microsoft.EntityFrameworkCore, v3.0.0
    Microsoft.EntityFrameworkCore.Relational, v3.0.0
  Corp.DependencyInjection.AspNet, v0.10.5-beta-0004
    Corp.DataAccess.Common, v0.10.5-beta-0004
      Corp.DependencyInjection.Common, v0.10.5-beta-0004
        System.ComponentModel, v4.3.0
      AutoMapper, v9.0.0
        Microsoft.CSharp, v4.6.0
        System.Reflection.Emit, v4.3.0
      System.Linq, v4.3.0
      System.Linq.Queryable, v4.3.0
    Corp.DataAccess.EntityFramework, v0.10.5-beta-0004
      Corp.DataAccess.Common, v0.10.5-beta-0004
        Corp.DependencyInjection.Common, v0.10.5-beta-0004
          System.ComponentModel, v4.3.0
        AutoMapper, v9.0.0
          Microsoft.CSharp, v4.6.0
          System.Reflection.Emit, v4.3.0
        System.Linq, v4.3.0
        System.Linq.Queryable, v4.3.0
      Corp.DependencyInjection.Common, v0.10.5-beta-0004
        System.ComponentModel, v4.3.0
      Corp.Modularity.Common, v0.10.5-beta-0004
        Corp.DataAccess.Common, v0.10.5-beta-0004
          Corp.DependencyInjection.Common, v0.10.5-beta-0004
            System.ComponentModel, v4.3.0
          AutoMapper, v9.0.0
            Microsoft.CSharp, v4.6.0
            System.Reflection.Emit, v4.3.0
          System.Linq, v4.3.0
          System.Linq.Queryable, v4.3.0
        Corp.DependencyInjection.Common, v0.10.5-beta-0004
          System.ComponentModel, v4.3.0
        System.Threading.ThreadPool, v4.3.0
      Microsoft.EntityFrameworkCore, v3.0.0
      Microsoft.EntityFrameworkCore.Relational, v3.0.0
    Corp.DependencyInjection.Common, v0.10.5-beta-0004
      System.ComponentModel, v4.3.0
    Corp.Modularity.Common, v0.10.5-beta-0004
      Corp.DataAccess.Common, v0.10.5-beta-0004
        Corp.DependencyInjection.Common, v0.10.5-beta-0004
          System.ComponentModel, v4.3.0
        AutoMapper, v9.0.0
          Microsoft.CSharp, v4.6.0
          System.Reflection.Emit, v4.3.0
        System.Linq, v4.3.0
        System.Linq.Queryable, v4.3.0
      Corp.DependencyInjection.Common, v0.10.5-beta-0004
        System.ComponentModel, v4.3.0
      System.Threading.ThreadPool, v4.3.0
    Microsoft.EntityFrameworkCore.SqlServer, v3.0.0
    Microsoft.Extensions.Configuration.Abstractions, v3.0.0
  Corp.DependencyInjection.AutofacAdapter, v0.10.5-beta-0004
    Corp.DependencyInjection.Common, v0.10.5-beta-0004
      System.ComponentModel, v4.3.0
    Autofac, v4.9.4
    Autofac.Extensions.DependencyInjection, v5.0.0
      Autofac, v4.9.4
      Microsoft.Extensions.DependencyInjection.Abstractions, v3.0.0
    Microsoft.Extensions.DependencyInjection, v3.0.0
    Microsoft.Extensions.Hosting, v3.0.0
  Corp.Modularity.Common, v0.10.5-beta-0004
    Corp.DataAccess.Common, v0.10.5-beta-0004
      Corp.DependencyInjection.Common, v0.10.5-beta-0004
        System.ComponentModel, v4.3.0
      AutoMapper, v9.0.0
        Microsoft.CSharp, v4.6.0
        System.Reflection.Emit, v4.3.0
      System.Linq, v4.3.0
      System.Linq.Queryable, v4.3.0
    Corp.DependencyInjection.Common, v0.10.5-beta-0004
      System.ComponentModel, v4.3.0
    System.Threading.ThreadPool, v4.3.0
  AsyncFixer, v1.1.6
  Lindhart.Analyser.MissingAwaitWarning, v1.2.0
    System.Threading.Tasks.Extensions, v4.5.3
  Microsoft.AspNetCore.Authentication.Google, v3.0.0
  Microsoft.AspNetCore.Authentication.JwtBearer, v3.0.0
  Microsoft.AspNetCore.Authentication.Twitter, v3.0.0
  Microsoft.AspNetCore.DataProtection.EntityFrameworkCore, v3.0.0
  Microsoft.AspNetCore.Mvc.NewtonsoftJson, v3.0.0
  Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation, v3.0.0
  Microsoft.AspNetCore.Mvc.Versioning, v4.0.0-preview8.19405.7
  Microsoft.AspNetCore.Mvc.Versioning.ApiExplorer, v4.0.0-preview8.19405.7
  Microsoft.CodeAnalysis.CSharp.Features, v3.3.1
  Microsoft.CodeAnalysis.FxCopAnalyzers, v2.9.5-beta1.final
  Microsoft.Extensions.Caching.SqlServer, v3.0.0
  Microsoft.Extensions.DependencyInjection, v3.0.0
  OpenIddict.AspNetCore, v3.0.0-alpha1.19472.65
    OpenIddict, v3.0.0-alpha1.19472.65
      OpenIddict.Abstractions, v3.0.0-alpha1.19472.65
        Microsoft.Extensions.DependencyInjection.Abstractions, v3.0.0
        Microsoft.Extensions.Primitives, v3.0.0
        Newtonsoft.Json, v12.0.2
        System.Collections.Immutable, v1.6.0
        System.ComponentModel.Annotations, v4.6.0
      OpenIddict.Core, v3.0.0-alpha1.19472.65
        Microsoft.Extensions.Caching.Memory, v3.0.0
        Microsoft.Extensions.Logging, v3.0.0
        Microsoft.Extensions.Options, v3.0.0
        OpenIddict.Abstractions, v3.0.0-alpha1.19472.65
          Microsoft.Extensions.DependencyInjection.Abstractions, v3.0.0
          Microsoft.Extensions.Primitives, v3.0.0
          Newtonsoft.Json, v12.0.2
          System.Collections.Immutable, v1.6.0
          System.ComponentModel.Annotations, v4.6.0
        System.Linq.Async, v4.0.0-preview.6.build.801
      OpenIddict.Server, v3.0.0-alpha1.19472.65
        Microsoft.Extensions.Logging, v3.0.0
        Microsoft.IdentityModel.JsonWebTokens, v6.2.0-preview-60906195846
        OpenIddict.Abstractions, v3.0.0-alpha1.19472.65
          Microsoft.Extensions.DependencyInjection.Abstractions, v3.0.0
          Microsoft.Extensions.Primitives, v3.0.0
          Newtonsoft.Json, v12.0.2
          System.Collections.Immutable, v1.6.0
          System.ComponentModel.Annotations, v4.6.0
    OpenIddict.Server.AspNetCore, v3.0.0-alpha1.19472.65
      Newtonsoft.Json.Bson, v1.0.2
        Newtonsoft.Json, v12.0.2
      OpenIddict.Server, v3.0.0-alpha1.19472.65
        Microsoft.Extensions.Logging, v3.0.0
        Microsoft.IdentityModel.JsonWebTokens, v6.2.0-preview-60906195846
        OpenIddict.Abstractions, v3.0.0-alpha1.19472.65
          Microsoft.Extensions.DependencyInjection.Abstractions, v3.0.0
          Microsoft.Extensions.Primitives, v3.0.0
          Newtonsoft.Json, v12.0.2
          System.Collections.Immutable, v1.6.0
          System.ComponentModel.Annotations, v4.6.0
  OpenIddict.Server.DataProtection, v3.0.0-alpha1.19472.65
    Microsoft.AspNetCore.DataProtection, v3.0.0
    OpenIddict.Server, v3.0.0-alpha1.19472.65
      Microsoft.Extensions.Logging, v3.0.0
      Microsoft.IdentityModel.JsonWebTokens, v6.2.0-preview-60906195846
      OpenIddict.Abstractions, v3.0.0-alpha1.19472.65
        Microsoft.Extensions.DependencyInjection.Abstractions, v3.0.0
        Microsoft.Extensions.Primitives, v3.0.0
        Newtonsoft.Json, v12.0.2
        System.Collections.Immutable, v1.6.0
        System.ComponentModel.Annotations, v4.6.0
  Swashbuckle.AspNetCore.Annotations, v5.0.0-rc3
    Swashbuckle.AspNetCore.SwaggerGen, v5.0.0-rc3
      Microsoft.AspNetCore.Mvc.NewtonsoftJson, v3.0.0
      Microsoft.OpenApi, v1.1.1
      Swashbuckle.AspNetCore.Swagger, v5.0.0-rc3
        Microsoft.AspNetCore.Mvc.Core, v2.0.0
        Microsoft.OpenApi, v1.1.1
  Swashbuckle.AspNetCore.SwaggerGen, v5.0.0-rc3
    Microsoft.AspNetCore.Mvc.NewtonsoftJson, v3.0.0
    Microsoft.OpenApi, v1.1.1
    Swashbuckle.AspNetCore.Swagger, v5.0.0-rc3
      Microsoft.AspNetCore.Mvc.Core, v2.0.0
      Microsoft.OpenApi, v1.1.1

@kevinchalet
Copy link
Contributor

It seems that this library uses a preview version of Microsoft.IdentityModel.JsonWebTokens.

That's exact. That said, I'm surprised because:

  • We've been told that the new JWT stack - built around JsonWebTokenHandler - would now live in Microsoft.IdentityModel.JsonWebTokens to avoid breaking changes in the older System.IdentityModel.Tokens.Jwt library. It kinda defeats the whole purpose of having a new package if referencing the two packages in the same project breaks things 😕

  • Microsoft.IdentityModel.JsonWebTokens was, AFAIK, supposed to ship with .NET Core 3.0. It's not clear why the JWT handler is still using System.IdentityModel.Tokens.Jwt.

@Tratcher
Copy link
Member

@brentschmaltz ?

@analogrelay
Copy link
Contributor

@knoxi It seems like this is a result of some refactoring in the IdentityModel libraries. It may be that OpenIddict is using a version of these types that is incompatible with the version ASP.NET Core uses.

@jmprieur do you have any context on this change?

@analogrelay analogrelay added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label Sep 26, 2019
@jmprieur
Copy link
Contributor

I don't. @brentschmaltz will know.

@henrik-me
Copy link

henrik-me commented Sep 27, 2019
edited
Loading

I'm wondering where you got Microsoft.IdentityModel.JsonWebTokens, v6.2.0-preview-60906195846 from. That is at this time internal only (not shipped for broader consumption). Can you use the latest v5?

@kevinchalet
Copy link
Contributor

I'm wondering where you got Microsoft.IdentityModel.JsonWebTokens, v6.2.0-preview-60906195846 from.

From the AzureAD MyGet feed.

Can you use the latest v5?

Not without reintroducing horrible workarounds, since JsonWebTokenHandler in 5.x has a few annoying bugs and limitations. Most notably, it doesn't support SecurityTokenDescriptor.Subject (so you can't use a ClaimsIdentity to create a token) and it produces tokens with completely non-standard iat/exp/nbf claims:

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1193
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1207

@brentschmaltz
Copy link
Contributor

@PinpointTownes we have cherry-picked the fixes above into our nightlies and can release a new 5x version.
You can try the latest 5.x version and see if it meets your needs.
Are there any other issues?

We don't support 6.x yet, it's not ready for asp.net 3.0.

@kevinchalet
Copy link
Contributor

@brentschmaltz I don't mind giving it a try, but where can I download the latest 5.x nightly build?
I only see 6.2.x packages on the Azure AD MyGet feed.

@brentschmaltz
Copy link
Contributor

@PinpointTownes also we are going to be releasing a new 5.x version within a week or two that will have the feature you are looking for.

Our MyGet feed retention rules were only keeping the 6.x versions. I reset them and kicked off debug and release builds.

If you have some small fixes, we may be able to get them into 5.x :-).

@kevinchalet kevinchalet mentioned this issue Sep 30, 2019
Merged
@kevinchalet
Copy link
Contributor

@PinpointTownes also we are going to be releasing a new 5.x version within a week or two that will have the feature you are looking for.

Thanks, looks like 5.5.1-preview-60930170140 indeed fixes the annoying bugs I had encountered 😄
Thanks for taking the time to backport these fixes to 5.x, it's much appreciated.

If you have some small fixes, we may be able to get them into 5.x :-).

Being able to control the typ of JWT tokens - for both generation and validation - would be fantastic, but IIRC, it's already on your radar.

@kevinchalet
Copy link
Contributor

kevinchalet commented Sep 30, 2019
edited
Loading

@brentschmaltz FYI, I opened a ticket to track useful improvements to TokenHandler: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1259.

@knoxi OpenIddict 3.0 alpha1 nightly builds targeting 5.5.1-preview-60930170140 are available on the MyGet feed. Please give 'em a try to see if it fixes the problem you were seeing.

@brentschmaltz
Copy link
Contributor

@knoxi @PinpointTownes our myget feed drops packages as we have last '15' packages retained. Just an FYI.

@knoxi
Copy link
Author

knoxi commented Oct 1, 2019

@PinpointTownes thanks for the updated version, the MissingMethodException is now solved.

@knoxi knoxi closed this as completed Oct 1, 2019
@kevinchalet
Copy link
Contributor

@brentschmaltz any chance you could pin the 5.5.1-preview-60930170140 version on MyGet, so it doesn't disappear? 😄

@kevinchalet
Copy link
Contributor

@brentschmaltz looks like that version disappeared from MyGet. Please pin one of the 5.5.1 versions, otherwise, it will be like chasing a moving target 😄

@ghost ghost locked as resolved and limited conversation to collaborators Dec 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@analogrelay @blowdart @Tratcher @brentschmaltz @knoxi @kevinchalet @jmprieur @henrik-me