I've read plenty of articles and Q&As regarding this and similar errors, but the scenario I face is truly puzzling, so I'm creating this question to, at the very least put my thoughts in order:
We have a .NET 6.0 which is set-up to use bearer JWT tokens as follows:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
RequireExpirationTime = true,
ValidIssuer = Configuration["JwtIssuer"],
ValidAudience = Configuration["JwtAudience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["JwtKey"])),
ClockSkew = TimeSpan.Zero
};
...
}
We have a /Login endpoint which internally uses System.IdentityModel.Tokens.Jwt.JwtSecurityToken(...) which uses the following as Signing Credentials:
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(signingKey));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
While working locally, with a launchSettings.json which is configured with the same values (copied from Azure's KUDU AppSettings) as one of our environment's variables, everything works OK. In other environments that we have deployed, everything works OK too.
However, in one of our environments X, when we're passing our token in the header as "Authorization: bearer ey..." we're getting a 401 error claiming that "The signature key was not found". What's even more puzzling is that if we generate a token running the app locally configured with the same values as X, then if we pass it in the Authoriation header calling X directly, it works as well as using it locally, however if we try to use the token generated by calling the real X, we get a 401 error (either there or in localhost).
I've tried comparing the environments to no avail and I'm out of ideas on what to compare (I'm tempted to torch that environment down and just create a new one with the same configs to see if that works).