How to debug "Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Debug: AuthenticationScheme: Bearer was not authenticated"?

Question

I am going through the extremely painful process of updating a .NET core 1.1 MVC web service which has been in production, untouched, for 9 years. I'm attempting to convert to .NET 8.0. I'm trying to get the service to validate AWS Cognito bearer tokens. I have the issuer configured properly (I verify the string exactly matches the iss field in the decoded JWT) but I simply see this in the debug output:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Debug: AuthenticationScheme: Bearer was not authenticated.

I have default logging level set to trace as well as calling out trace for individual components:

{ "Logging": { "IncludeScopes": false, "LogLevel": { "Default": "Trace", "System": "Trace", "Microsoft": "Trace", "Microsoft.AspNetCore": "Trace", "Microsoft.AspNetCore.Authentication": "Trace" } } }

and I have set various JwtBearer options that would appear to increase information:

            options.TokenValidationParameters = new TokenValidationParameters
            {
                RequireSignedTokens = true,
                RequireExpirationTime = true,
                ClockSkew = new TimeSpan(0, 15, 0),
                RequireAudience = false,
                ValidateAudience = false,
                ValidateLifetime = true,
                ValidateIssuer = true,
                ValidIssuer = "proper aws url",
                **LogValidationExceptions = true,
                LogTokenId = true,**
            };
            options.UseSecurityTokenValidators = true;
            **options.IncludeErrorDetails = true;**

Yet the tracing produced seems extremely limited (one line) and unspecific. This seems crazy, I must be missing something. How can I debug this to figure out where the validation is going wrong? Is there some way to insert my own passthrough class into this chain so I can at least see which function is failing, what it is taking for params, etc?

Answer 1

In .net8 setting up authentication you need to add authentication scheme and JWT Bearer :

          var builder = WebApplication.CreateBuilder(args);
          builder.Services
                .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(opt =>
                {
                    var configManager = new 
                    ConfigurationManager<OpenIdConnectConfiguration>(
                    settings.DiscoveryUrl,
                    new OpenIdConnectConfigurationRetriever());
    
                    opt.RequireHttpsMetadata = true;
                    opt.SaveToken = true;
                    opt.ConfigurationManager = configManager;
                    opt.TokenValidationParameters = new TokenValidationParameters
                    {
                        ClockSkew = TimeSpan.FromMinutes(3),
                        ValidateLifetime = true,
                        ValidateIssuer = true,
                        ValidIssuer = settings.Issuer,
                        ValidateAudience = true,
                        ValidateIssuerSigningKey = true,
                        ValidAudiences = settings.Audience,
                        NameClaimType = ClaimTypes.Upn
                    };
                });
         services.AddAuthorizationCore(opt =>
         {
           //Your policies here
         });

    // Other configuration
    var app = builder.Build();
    
    app.UseAuthentication();
    app.UseAuthorization();