Forum Discussion
Issue with SignIn Key validation while using Orcid as External login Provider with Identity Server
Hi,
I am working on integrating Orcid as second external login provider in my Identity Server based SSO application in Asp.Net Core. I have added necessary configurations in startup.cs file for Orcid provider as below
services.AddAuthentication()
.AddOpenIdConnect("ORCID", "ORCID", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.ClientId = {myclientid};
options.ClientSecret = {myclientsecret};
options.Authority = {authorityurl};
options.ResponseType = "code";
options.Scope.Clear();
options.Scope.Add("openid"); // ORCID-specific scope for basic authentication
options.Scope.Add("/authenticate");
options.CallbackPath = new PathString({myapplicationpath});
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.Configuration = new Microsoft.IdentityModel.Protocols. OpenIdConnect.OpenIdConnectConfiguration
{
AuthorizationEndpoint = "https://sandbox.orcid.org/oauth/authorize",
TokenEndpoint = "https://sandbox.orcid.org/oauth/token",
Issuer = "https://sandbox.orcid.org"
};
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
NameClaimType = "sub",
RoleClaimType = "role"
ValidateIssuer = true,
ValidIssuer = "https://sandbox.orcid.org",
ValidateIssuerSigningKey = true,
ValidateAudience = false, // ORCID does not return 'aud' in ID token
ValidateLifetime = true,
RequireExpirationTime = true
};
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "orcid");
options.ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
options.Events.OnAuthorizationCodeReceived = authorizationCtx =>
{
// access code thru authorizationCtx.TokenEndpointRequest.Code
var code = authorizationCtx.TokenEndpointRequest.Code;
return Task.FromResult(0);
};
options.Events.OnTokenResponseReceived = tokenResponse =>
{
var idToken = tokenResponse.TokenEndpointResponse?.IdToken;
var accessToken = tokenResponse.TokenEndpointResponse.AccessToken;
Console.WriteLine($"Access Token: {accessToken}");
Console.WriteLine($"ID Token: {idToken}");
// Handle the response manually to prevent further processing
tokenResponse.HandleResponse();
// Redirect the user to the callback path (or another page)
var callbackUrl = {mycallbackurl}; // Change this to your desired redirect URL
tokenResponse.HttpContext.Response.Redirect(callbackUrl);
return Task.FromResult(0);
};
options.Events.OnRemoteFailure = ctx =>
{
ctx.HandleResponse();
ctx.Response.Redirect("/error?message=" + ctx.Failure.Message);
return Task.CompletedTask;
};
}).AddJwtBearer(options =>
{
options.Authority = "https://sandbox.orcid.org";
options.Audience = {myclientid};
options.RequireHttpsMetadata = true;
});
I am able to login to Orcid and receives authorization code and further receive access token and id token in OnTokenResponseReceived event. But after continuing, gets signature validation error as below
IDX10501: Signature validation failed. Unable to match keys:
kid: {orcid keyid}
token: {token keyid}....
I verified the signin keys at both end and they are correct
Can anyone suggest the cause of the error and how to fix it? How can I validate the signin key and return back to my redirect url? Or suggest a complete flow on how to implement this integration.
Thanks.