upgrade from 1.24.1 to 1.25.1 generates a lot of errors

[Marusyk]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

1.25.1

Web app

Not Applicable

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

With 1.24.1 everything worked well.
I have 3 different types of authN in my app

• Azure AD
• Azure AD B2C
• Custom JWT

Shouldn't 1.25.1 be backward compatible with 1.24.1 according to SemVer?

Reproduction steps

1. Upgrade from 1.24.1 to 1.25.1
2. Start the web api

Error message

[23-01-23 22:36:57.57Z ERR] Microsoft.IdentityModel Version: 6.25.1.0. Date 01/23/2023 22:36:57. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details.
IDX40001: Issuer: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', does not match any of the valid issuers provided for this application. <s:Development:Twin Service/Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter>
[23-01-23 22:36:57.57Z ERR] IDX10516: Signature validation failed. Unable to match key:
kid: '-KI3Q9nNR7bRofxmeZoXqbHZGew'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '1'.
Exceptions caught:
'[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Valid Lifetime: 'True'. Valid Issuer: 'False' <s:Development:Twin Service/Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter>
[23-01-23 22:36:57.57Z ERR] IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/XXXX-XXXX-403b-8a08-0c5f50471e64/'. Did not match: validationParameters.ValidIssuer: 'CARoot-test' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'Null'. For more details, see https://aka.ms/IdentityModel/issuer-validation. <s:Development:Twin Service/Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter>
[23-01-23 22:36:57.57Z ERR] IDX10516: Signature validation failed. Unable to match key:
kid: '-KI3Q9nNR7bRofxmeZoXqbHZGew'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '1'.
Exceptions caught:
'[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Valid Lifetime: 'True'. Valid Issuer: 'False' <s:Development:Twin Service/Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter>

Id Web logs

No response

Relevant code snippets

builder.Services
            .AddAuthentication()
            .AddMicrosoftIdentityWebApi(_ => { }, options =>
            {
                options.ClientId = clientId;
                options.TenantId = tenantId;
                options.Instance = "https://login.microsoftonline.com/";
            }, jwtBearerScheme: AuthScheme.JwtAzureAd);

builder.Services.AddMicrosoftIdentityWebApiAuthentication(configuration, "Auth:AzureAdB2C", AuthScheme.JwtAzureAdB2C, true);

builder.Services
            .AddAuthentication()
            .AddJwtBearer(AuthScheme.JwtRootCertificate, opt =>
            {
                opt.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateLifetime = true,
                    ValidateIssuer = true,
                    ValidIssuer = keyVaultClient.RootCertificateId,
                    ValidateAudience = false,
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = signingCredentials.Key,
                    RequireSignedTokens = true,
                    ClockSkew = TimeSpan.FromSeconds(5)
                };
            });

Regression

No response

Expected behavior

at least runs without error because the version should be backward compatible

[jennyf19]

@Marusyk Did you have the issues moving to the latest 1.25.10?

[Marusyk]

yes, I have, then I moved back for 1.25.1 however the 1.25.0 is also not working.

[jmprieur]

@Marusyk: is the problem that you have too many logs containing "errors", whereas before the logs had not error? or is the web API no longer working?
cc: @jennyf19

[Marusyk]

the web api works and returns a response. I got all these logs after 1.24.1->1.25.1. Everything continues to work but just these errors appeared

[Marusyk]

any updates?

[maffelbaffel]

Tried to build an API with multiple authentication schemes (AAD and B2C) and getting a lot of error logs too.
While authentication in my application works, I am not sure how to properly get rid of these validation errors. The increase in error logging seems to be introduced with 1.25.1. I do not see these errors with 1.25.0! I also see these errors with the current 2.5.0 release.

I followed the guide here. Instead of AddJwtBearer I use AddMicrosoftIdentityWebApi

It looks like when having multiple Bearer authentication schemes, currently a token is validated for every scheme no matter what I do. This is also describe a bit more detailed here.

IMHO this is a bug because even when using an ForwardDefaultSelector still both schemes seem to be validating the request.

What might be part of the problem is that I need both authentication schemes to be enabled at the same time in MyPolicy:

services.AddAuthorization(options =>
            {
                options.AddPolicy("MyPolicy", policyBuilder =>
                    policyBuilder.RequireAuthenticatedUser()
                        .AddAuthenticationSchemes("B2C", "AAD")
                );
            });

If I only enable one or the other authentication scheme within MyPolicy I do not get these errors.

[pjh1974]

I too am having the same problem, are there any updates on this one?

[jennyf19]

Logging/exception handling improvements is happening in the lower level library: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2711

Should be available by October, and you should see a reduction in logs + perf improvement.

Closing as the issue is outside IdWeb.

[PetteriPertola]

Logging/exception handling improvements is happening in the lower level library: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2711

Should be available by October, and you should see a reduction in logs + perf improvement.

Closing as the issue is outside IdWeb.

How can you close this issue when it's clearly not resolved? You need to keep this open until this is resolved. There are incredibly many companies that are currently suppressing logs on a namespace level to avoid spamming error logs which are treated as incidents!