RSA JWT Validation in .NET Can Fail Due to Algorithm Identifier Mismatch
Developers validating RSA-signed JWTs in .NET may encounter signature validation failures even when the public key is correct. The root cause is often a mismatch in algorithm identifier format within the ValidAlgorithms configuration parameter. Some identity providers, particularly older WCF-based or enterprise SSO systems, express the signing algorithm as a full URI such as 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' instead of the standard short form 'RS256'. If only the short-form identifier is listed in ValidAlgorithms, tokens using the URI form are rejected despite carrying a cryptographically valid signature. The fix is to include both identifier formats in the ValidAlgorithms list, ensuring tokens are accepted regardless of which format the issuing service uses.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in