IDX10632: SymmetricSecurityKey.GetKeyedHashAlgorithm( 'HS512' ) threw an exception when validating JWT using HS512 ALGO

4

I'm using the NuGet package System.IdentityModel.Tokens.Jwt version 4.0.4.403061554.

I have an implementation that validates a JWT and it works fine for algo HS256.

However if I change my JWT to be generated using algo HS512 then I receive an error during validation.

System.IdentityModel.SignatureVerificationFailedException
  HResult=0x80131501
  Message=IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey
'.
Exceptions caught:
 'System.InvalidOperationException: IDX10632: SymmetricSecurityKey.GetKeyedHashAlgorithm( 'HS512' ) threw an exception.
SymmetricSecurityKey: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey'
SignatureAlgorithm: 'HS512', check to make sure the SignatureAlgorithm is supported.

I've tried to generate 512 bit keys, I've also tried smaller keys like 256 bit keys (the ones that work with algo HS256) but nothing works.

My implementation is this:

                    InMemorySymmetricSecurityKey signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes("secretsigningkey"));
                    TokenValidationParameters tokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidAudiences = validAudiences,
                        ValidIssuers = validIssuers,
                        IssuerSigningKey = signingKey
                    };
                    JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
                    var claimsPrincipal = tokenHandler.ValidateToken(token, tokenValidationParameters, out SecurityToken validatedToken);

and the exception is thrown by this method tokenHandler.ValidateToken.

How can I change my code to allow for HS512 (and any other type of JWT supported algos)??

c#
security
encoding
jwt
identity
asked on Stack Overflow Sep 4, 2020 by darren

2 Answers

2
  1. According to this MSDN document, SecurityAlgorithms doesn't support validating HS512 algorithm.
  1. Install the jwt decode/validation library : JWT and it's project site: https://github.com/jwt-dotnet/jwt
PM> Install-Package JWT -Version 7.2.1
  1. Use the JWT official document and modify your sample code by using HS512 algorithm, it will be like this:
try
{
    IJsonSerializer serializer = new JsonNetSerializer();
    var provider = new UtcDateTimeProvider();
    IJwtValidator validator = new JwtValidator(serializer, provider);
    IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
    IJwtAlgorithm algorithm = new HMACSHA512Algorithm();
    IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm);

    json = decoder.Decode(token, "secretsigningkey", verify: true);
    Console.WriteLine(json);
}
catch (TokenExpiredException)
{
    Console.WriteLine("Token has expired");
}
catch (SignatureVerificationException)
{
    Console.WriteLine("Token has invalid signature");
}
catch (Exception ex)
{
    Console.WriteLine("Other exception: " + ex.Message);
}
answered on Stack Overflow Sep 7, 2020 by Li-Jyu Gao
2

I landed up upgrading the version of the package System.IdentityModel.Tokens.Jwt to 6.7.1 (probably unnecessary).

The real fix was changing this:

InMemorySymmetricSecurityKey signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes("secretsigningkey"));

to this

SecurityKey signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(domainJWTParams.IssuerSigningKey));

This works with HS256, HS384, HS512 (possibly even more) but what's really good with this implementation is that no hardcoded algorithm is needed.

answered on Stack Overflow Sep 10, 2020 by darren

User contributions licensed under CC BY-SA 3.0