How to get more info about invalid JWT algorithm

I service is throwing “Invalid algorithm ‘HS256’, expected ‘RS256’” from:

Is there a way I can handle this, in that sense, I can log the original request so I can see what’s really inside the request itself. It’s a service called by a third party and 99.9% of the calls are OK, but sometimes these errors I get in my log, but cannot see what’s really inside.

Where should I try to hook for this exception thrown so that I can log the original request?

You could inspect the request with a IAppHost.PreRequestFilters, otherwise you can always inherit from JwtAuthProvider and override that GetVerifiedJwtPayload() method to inspect the it before calling base.

With the PreRequestFilters I was able to log the fact that the web hook is posting (sometimes) and Authorization header with a Bearer token that is not known to us. The call itself is not protected, and in the end the call is processed, only there is a Error in GetSession() when ApplyPreAuthenticateFilters error in my logs.
I tried to remove the header in the PreRequestFilters but I cannot modify the header it seems.
Any other suggestion besides creation my own JwtAuthProvider?
Would it be better that SS does not process the authorization header if the service is not marked with the auth attribute?

You can’t modify the framework’s .NET Request / Response directly but you can override the Authorization used with:

req.Items[Keywords.Authorization] = ....;

As long as it’s not a 3-part . or 5-part JWT Token the JWT Auth Provider should ignore it.

ServiceStack always needs to execute the PreRequestFilters if calling GetSession() in order to populate the session, your code can choose not to call GetSession() after inspecting the Request.

I tried that, setting it to null but still tries to validate because of the header. Thing is that the GetSession is in a base class and the check IsAuthenticated is called (underlying this is doing a GetSession); furthermore an ORMLite hook when updating is using the GetSession to see whether we have a user or not to save as updatedUser…
So I am affraid that I need to subclass the JwtAuthProvider then to override the complete method and not throwing the Exception

Setting it to null doesn’t override it, you need to set it to something that’s not a 3-part or 5-part JWT/JWE Key, e.g. Bearer ignore

Okay! That did the trick!

1 Like