.NET 7.0 to 8.0 Upgrade Auth Error - IDW10403: Token is not a JWT
Some notes here for my future self and anyone else who might find them useful.
After upgrading from .NET 7 to 8.0 I found I was receiving 401 response errors when making any calls to Azure AD B2C protected api endpoints that had been working prior to the upgrade.
Overview
The upgrade from .NET 7.0 to .NET 8.0 was fairly painless for me see .NET 7.0 to 8.0 upgrade notes
However there were a couple of gotchas and am documenting this one here as it was not obvious at first.
Azure AD B2C Authentication
I'm using Azure AD B2C for my Auth Platform securing .NET APIs on the backend and also on the front end in different consumer and business facing Next.JS web apps. With the first 50,000 MAUs for free it is a great option although it can be a little involved understanding all the moving parts when setting up from scratch for the first time.
I noticed after upgrading from .NET 7.0 to .NET 8.0 that the Azure AD B2C authentication was no longer working. I was getting 401 response errors when trying to access the different APIs.
I needed to get more verbose logging to find the exact cause of the 401 errors, so as I was using Serilog for logging I set the the logging level to Verbose for Microsoft namespaces in the appsettings.Development.json file so I could get a rich output when logging. This would allow me to see what the underlying exception might be.
{
"Serilog": {
"MinimumLevel": {
"Default": "Information",
"Override": {
"Microsoft": "Verbose",
"System": "Warning"
}
},
...
}
In my logging output I quickly saw an error IDW10403 which was the cause of the issue for the 401 errors, the error caused the auth challenge to fail. This error seemed odd as it mentioned that the Auth token was a not JWT token and as far as I knew it was and had been!
IDW10403: Token is not a JWT token
So some Googling started and was able to quickly identify the underlying issue, apply changes required and validate that everything then worked and re-deploy to the Azure development environments.
The reason I saw this error for this is 2 fold :-
-
In the Microsoft.Identity.Web nuget package it uses a property for the authentication called TokenValidatedContext.SecurityToken and the default real implementation of TokenValidatedContext.SecurityToken changed from JwtSecurityToken to JsonWebToken in .NET 8.0
-
The Microsoft.Identity.Web nuget package I had in my projects was running an old version 1.25.10 and a nuget upgrade was required (for me at time of writing this is to 2.16.0) to pick up compatability changes that had been made in a later version for this issue. Something I should have done while upgrading to .NET 8.0 or as a general good nuget maintenance task. Also I needed to upgrade Microsoft.Identity.Client package from 4.48.1 to 4.58.1
Some further googling and I stumbled on these useful resources that gave some more background on the issue :-
-
Github microsoft-identity-web/issues/2420 where a fix was applied to the microsoft-identity-web package and the release notes microsoft-identity-web/releases/tag/2.13.4.
-
An article from Microsoft describing the change :- Security token events return a JsonWebToken
As with a lot of things with software development a very easy fix to make but discovering the fix can take a little digging and research but also an opportunity to gain more in depth knowledge in doing so 😌