Prerequisites:

• keycloak is running in docker using image keycloak/keycloak:latest
• added a new Client (service account), which has a Client ID and a Client Secret as in picture below
• default realm is master

In postman I’ve authenticated using client_credentials grant type and got the JWT access token in response.

Now I would like to authenticate in my dotnet 8 WebApi microservice using the JWT token that I got from postman. The configuration is:

    IdentityModelEventSource.ShowPII = true;

    builder.Services.AddAuthentication("Bearer")
        .AddJwtBearer("Bearer", options =>
        {
            options.Authority = "http://host.docker.internal:7080/realms/master";
            options.Audience = "account";
            options.MetadataAddress = "http://host.docker.internal:7080/realms/master/.well-known/openid-configuration";
            options.RequireHttpsMetadata = false;

            options.TokenValidationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = "http://localhost:7080/realms/master",
                ValidateAudience = true,
                ValidAudience = "account",
                ValidateIssuerSigningKey = true,
                ValidateLifetime = true,
            };

            options.UseSecurityTokenValidators = false;
        });

    builder.Services.AddAuthorization();

the endpoint is secured

app.MapGet("/secret", (ClaimsPrincipal user) => $"Hello {user.Identity?.Name}. My secret").RequireAuthorization();

When accessing the secure endpoint I get the error

Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)

Could someone please explain to me what is wrong in this code? If I understand corrently – I do not necessary need to provide the “signing key” because I have a service account authentication type. Meaning that the keycloak itself should be able to validate the token signature using the private secret key that it possess.

So the error makes no sense to me..

In any case, I also tried setting the secret key (same as client secret?) manually

ValidateIssuerSigningKey = true,
IssuerSigningKey = new JsonWebKey("vKgbRKwmv9YH42OSMFnofQxCh8d92jX2"), // this OR next
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("vKgbRKwmv9YH42OSMFnofQxCh8d92jX2")), // this OR next

but this does not resolve the issue and produces new error messages about invalid key format.. Any ideas how to fix or explanations for failure are much appreciated!

the ONLY working solution so far is completely disabling the signing key verification using the

                ValidateIssuerSigningKey = false,
                SignatureValidator = delegate (string token, TokenValidationParameters parameters)
                {
                    return new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token);
                },

but then I would assume that this would be the same as letting anybody use any randomly signed JWT token which is not what I want 🙂