Duende.AccessTokenMangement blocks JWT validation from version 3.1.0 onwards.

[ElliotDunk]

When installing Duende.AccessTokenManagement from version 3.1.0 onwards (version 3.0.1 seems to work fine), it seems to block the final call to /.well-known/openid-configuration/jwks and fail silently when adding a JwtBearer to the authentication pipeline. If debug events are added it seems to throw an error saying no key was given. It causes the issue as soon as the package is added to the project even before any code has been changed. The code below demonstrats the affected code, which works fine without Duende.AccessTokenManagement but not with it if the version is 3.1.0 or above.

builder.Services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});

[wcabus]

Which version of Microsoft.AspNetCore.Authentication.JwtBearer are you using in your project?

Both Duende.AccessTokenManagement and Microsoft.AspNetCore.Authentication.JwtBearer eventually have a dependency on System.IdentityModel.Tokens.Jwt and other related libraries, and my guess is that your project is using conflicting versions of these dependencies.

You can check which versions your project is resolving by scanning your project using the following Powershell line:

dotnet list package --include-transitive | sls "Microsoft.IdentityModel|System.IdentityModel"

If the resulting list has different package versions, as shown in the example output below, then you need to add some of the outdated NuGet packages to pin their versions so that all of them are the same.

Example output:

   > Microsoft.IdentityModel.Abstractions                       7.4.0
   > Microsoft.IdentityModel.JsonWebTokens                      7.4.0
   > Microsoft.IdentityModel.Logging                            7.4.0
   > Microsoft.IdentityModel.Protocols                          7.0.3
   > Microsoft.IdentityModel.Protocols.OpenIdConnect            7.0.3
   > Microsoft.IdentityModel.Tokens                             7.4.0
   > System.IdentityModel.Tokens.Jwt                            7.0.3

[ElliotDunk]

Thank you for your response, after running the command I get the following:

` > Microsoft.IdentityModel.Abstractions 7.1.2

Microsoft.IdentityModel.JsonWebTokens 7.1.2
Microsoft.IdentityModel.Logging 7.1.2
Microsoft.IdentityModel.Protocols 7.1.2
Microsoft.IdentityModel.Protocols.OpenIdConnect 7.1.2
Microsoft.IdentityModel.Tokens 7.1.2
System.IdentityModel.Tokens.Jwt 7.1.2 `,

I downgraded all the pacakges you suggested to their corrosponding versions but I cannot test the latest Duende.AccessTokenManagement as it says its requires those dependencies you listed to be higher versions. I can only install version 3.0.1 which was working as expected anyway. Originally when I posted the question I was running Microsoft.AspNetCore.Authentication.JwtBearer at version 8.0.18.

[wcabus]

Microsoft.AspNetCore.Authentication.JwtBearer version 8.0.18 has a dependency on Microsoft.IdentityModel.Protocols.OpenIdConnect >= 7.1.2

Can you try adding the package Microsoft.IdentityModel.Protocols.OpenIdConnect explicitly to your project as well, but setting the version to 8.13.0 instead? You may need to add additional NuGet packages (from that list above) to ensure they're all using the same version.

[ElliotDunk]

So I explicitly added Microsoft.IdentityModel.Protocols.OpenIdConnect at version 8.13.0 as you suggested and it now works with the lastest version of Duende.AccessTokenManagement.

Thank you for your help.