Weird Exception in JwtAuthProviderReader

We just started seeing this exception trace in our production code. (v.5.4.0)

nSystem.ArgumentOutOfRangeException: Index and length must refer to a location within the string.\r\nParameter name: length\r\n   at System.String.Substring(Int32 startIndex, Int32 length)\r\n   at ServiceStack.Auth.JwtAuthProviderReader.GetKeyId(IRequest req)\r\n   at ServiceStack.Auth.JwtAuthProvider.CreateJwtBearerToken(IRequest req, IAuthSession session, IEnumerable`1 roles, IEnumerable`1 perms)\r\n   at ServiceStack.Auth.JwtAuthProvider.Execute(AuthFilterContext authContext)\r\n   at ServiceStack.Auth.AuthenticateService.Post(Authenticate request)\r\n  

which is the top of the stack trace of code that calls AuthenticateService.Post(), something like this:

        var authenticateService = this.Container.Resolve<AuthenticateService>();
        authenticateService.Request = request;

        var response = authenticateService.Post(new Authenticate()
          provider = "credentials",
          UserName = username,
          Password = password,
          RememberMe = new bool?(rememberMe),
          UseTokenCookie = new bool?(true)
        }) as HttpResult;

      // extract value of the 'ss-tok' cookie from response

Which we use to create a session for the user, and get the session cookie.

The line of code that actually throws the error (we think) is: or maybe line 377.

Do you know what could be causing this exception for us at this point in time?

Clearly something has changed in time, but we are not sure what this code indicates may have changed? Any ideas?

It’s trying to fetch the first 3 Base64 chars from your AuthKey if it exists, it gets the AuthKey from your AppHost’s GetRuntimeConfig(IRequest, nameof(AuthKey), AuthKey) which if you don’t want to override it at runtime should return the AuthKey passed in.

To get that exception you would have to return an Invalid AuthKey that’s not null but less than 3 chars when base64 serialized - which would be an invalid key.

Yes, confirmed.
We just found out a merge had lost that key in config.

sorry. Ill delete this post

Don’t delete posts, if others run into this issue it will help provide pointers on what things to look at to resolve it.