An odd case here - our app validates Jwts from Okta, which use RSA keys. The app also supports the ability for high level users impersonate lower level users, as a form of support. This proxy ability is implemented by creating an internal Jwt, which uses a symmetric HmacSha256 key.
I have created two separate JwtAuthProviderReaders, each one handles each case, and they both work individually. However, when I try to install both in the AppHost - the first one listed always fails when it gets the Jwt meant for the other one. The auth doesn’t pass through from the first provider to the second.
I was wondering if I had to combine the login into one JwtAuthProviderReader, but to do so I would have to be able to support both types of encryption. Or, if there was a setting on the JwtAuthProviderReader that would allow the pass-through from the first to the second.
Thank you. I actually just found a better answer - setting RequireHashAlgorithm to false prevented the error message, which is found in method GetVerifiedJwtPayload
//Potential Security Risk for relying on user-specified algorithm: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
if (RequireHashAlgorithm && algorithm != HashAlgorithm)
throw new NotSupportedException($"Invalid algorithm '{algorithm}', expected '{HashAlgorithm}'");