OpenIdConnectConfiguration.Create(string json) throws deserialization exception when security keys present in json

[Francois-du-Plessis]

Version: 5.5.0

When trying to create a new OpenIdConnectConfiguration object from a json string created with the OpenIdConnectConfiguration.Write static method a deserialization exception is thrown with the following error message:
Could not create an instance of type Microsoft.IdentityModel.Tokens.SecurityKey. Type is an interface or abstract class and cannot be instantiated. Path 'SigningKeys[0].KeySize'

I used the OpenIdConnectConfigurationRetriever class to initially create the OpenIdConnectConfiguration object. So doing something like the following throws the exception for me:

var config = OpenIdConnectConfiguration.Create(
                OpenIdConnectConfiguration.Write(
                    await OpenIdConnectConfigurationRetriever.GetAsync($"https://myidentityserveruri.com/.well-known/openid-configuration", CancellationToken.None)));

[brentschmaltz]

@Francois-du-Plessis do you have the json?

[Francois-du-Plessis]

{"authorization_endpoint":"https://dev-login.euromonitor.com/connect/authorize","check_session_iframe":"https://dev-login.euromonitor.com/connect/checksession","claims_supported":["sub","job_title","city","department","country","telephone_number","email","email_verified","subscriber_id","is_passport_download_enabled","is_passport_terms_and_condition_accepted","via_subscription_id","is_via_t&c_accepted","is_via_download_enabled"],"end_session_endpoint":"https://dev-login.euromonitor.com/connect/endsession","frontchannel_logout_session_supported":"true","frontchannel_logout_supported":"true","grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"issuer":"https://dev-beta-login.euromonitor.com","jwks_uri":"https://dev-login.euromonitor.com/.well-known/openid-configuration/jwks","JsonWebKeySet":{"keys":[{"alg":"RS256","e":"AQAB","kid":"7A73F733060D8D146CB5BA85AA6CF23CBBA80567","kty":"RSA","n":"2BqsIz2ta3iKfrGs6vvHi0tBb-4qDv9NgY-oeLTWqC-73Qk40_zsrPcEw0Qt7XNvLXJXMlZv0UbietL7o_QvdAGV6DPVqJ1y1NTsRoT14P2--yEKxBLXWjvD3Em8seDkxcm840t6mY0J32UpsUx0M6Bj4h85CKnIoQmcpiSCBsbC87Lq2qdf7_ZdqmF8HCRD8tVbOk4xTWc-F01PBRPxSGGJ89BDEQ8QTMjVjQS9DvckNVDpUf2-t7U4akY1TW7DdCYmd2XpDsB_3SWt5ypQS9lfR4VchhGyDZ8BHuDWoEYYkkrHij1RBdBxk5Uho2LGulLvqINjEKedx1UaoOqpkw","use":"sig","x5c":["MIIDCjCCAfKgAwIBAgIQo4LkXeJ6P59KkkfL0p8VxzANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5FTUktSWRlbnRpdHlDTjAeFw0xODAxMjkwODM3MzlaFw0zOTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkVNSS1JZGVudGl0eUNOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2BqsIz2ta3iKfrGs6vvHi0tBb+4qDv9NgY+oeLTWqC+73Qk40/zsrPcEw0Qt7XNvLXJXMlZv0UbietL7o/QvdAGV6DPVqJ1y1NTsRoT14P2++yEKxBLXWjvD3Em8seDkxcm840t6mY0J32UpsUx0M6Bj4h85CKnIoQmcpiSCBsbC87Lq2qdf7/ZdqmF8HCRD8tVbOk4xTWc+F01PBRPxSGGJ89BDEQ8QTMjVjQS9DvckNVDpUf2+t7U4akY1TW7DdCYmd2XpDsB/3SWt5ypQS9lfR4VchhGyDZ8BHuDWoEYYkkrHij1RBdBxk5Uho2LGulLvqINjEKedx1UaoOqpkwIDAQABo04wTDBKBgNVHQEEQzBBgBCcxBaZl+0+3mpWe9mQZjgSoRswGTEXMBUGA1UEAxMORU1JLUlkZW50aXR5Q06CEKOC5F3iej+fSpJHy9KfFccwDQYJKoZIhvcNAQELBQADggEBAKFIT+sxBCDN7zIGt3mBxTk+Pl05zhKGs53nElykpt2CGSN9TD5uC3PdWw+Od4oHMOLUh0dE+W6qK5ZlJn5DbnbmV/F37592/BqH0R3GqTR/Z7S/k3cK7JTU3fFrnegvDn7VH3Zz1qb67voVQBlspChPymbK7terINNJvustZ3QntmAbw34/8kbCUYm+tZCLQH6BhlL9rxrYFfKj4WE6PP9rh+5vugn3yqDstY1NYaQ9XFWL7r45cKBGIZ+Q4n2fhtjeKSljQZ90JvVssY2cRrNHWU/yaLgCb2FDme/bjLWymYpzEPsHTYNEoKbTk6KIna+In2fbRaBXRA4OZZf4yJY="],"x5t":"enP3MwYNjRRstbqFqmzyPLuoBWc"}]},"response_modes_supported":["form_post","query","fragment"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"scopes_supported":["openid","profile","email","subscriber_id","is_passport_download_enabled","is_passport_terms_and_condition_accepted","department","via_scopes","microui-sample-scope","test","Euromonitor.Statistics.CatalogService","Euromonitor.SportsService","microservice-sample-api-resource","Euromonitor.dev-via","Euromonitor.VIA.Interface","Euromonitor.Via.PreferenceService","Euromonitor.Identity.UserService","Euromonitor.Subscribers.SubscriptionService","Euromonitor.VIA.Search.Service","Euromonitor.Via.CatalogService","Euromonitor.HelpProject.Service","Euromonitor.Help.Service","Euromonitor.Via.AuthorizationService","Euromonitor.Via.FilterService","Euromonitor.Membership.UserService","Euromonitor.VIA.Help.Service","Euromonitor.AnalysisService","Euromonitor.Via.DataExtractionService","Euromonitor.EmailService","Euromonitor.dev3-via","Euromonitor.temp-via","Euromonitor.demo-via","Euromonitor.Statistics.SportsService","Euromonitor.Statistics.AuthorizationService","EuromonitorStatistics.CatalogService","user_info","EMMA365.Authorization","EMMA365.Catalog","EMMA365.Sizes","Via.Authorization.Write","Euromonitor.Download.NotificationService","Euromonitor.Statistics.MarketSizeService","Euromonitor.Statistics.CompanyShareService","Euromonitor.Statistics.BrandShareService","Euromonitor.Statistics.AuthorisationService","Passport.PushNotification.Service","Passport.Notification.Service","Euromonitor.MediaConverterAPI","Euromonitor.MagazineService","offline_access"],"SigningKeys":[{"KeySize":2048,"X5t":"enP3MwYNjRRstbqFqmzyPLuoBWc","PrivateKey":null,"PublicKey":{"Key":{"Algorithm":{"Algorithm":"RSA"},"AlgorithmGroup":{"AlgorithmGroup":"RSA"},"ExportPolicy":0,"Handle":{"IsInvalid":false,"IsClosed":false},"IsEphemeral":true,"IsMachineKey":false,"KeyName":null,"KeySize":2048,"KeyUsage":16777215,"ParentWindowHandle":{"value":0},"Provider":{"Provider":"Microsoft Software Key Storage Provider"},"ProviderHandle":{"IsInvalid":false,"IsClosed":false},"UIPolicy":{"ProtectionLevel":0,"FriendlyName":null,"Description":null,"UseContext":null,"CreationTitle":null},"UniqueName":null},"LegalKeySizes":[{"MinSize":512,"MaxSize":16384,"SkipSize":64}],"KeyExchangeAlgorithm":"RSA","SignatureAlgorithm":"RSA","KeySize":2048},"HasPrivateKey":false,"PrivateKeyStatus":1,"Certificate":{"Archived":false,"Extensions":[{"Critical":false,"Oid":{"Value":"2.5.29.1","FriendlyName":"Authority Key Identifier"},"RawData":"MEGAEJzEFpmX7T7ealZ72ZBmOBKhGzAZMRcwFQYDVQQDEw5FTUktSWRlbnRpdHlDToIQo4LkXeJ6P59KkkfL0p8Vxw=="}],"FriendlyName":"","HasPrivateKey":false,"PrivateKey":null,"IssuerName":{"Name":"CN=EMI-IdentityCN","Oid":{"Value":null,"FriendlyName":null},"RawData":"MBkxFzAVBgNVBAMTDkVNSS1JZGVudGl0eUNO"},"NotAfter":"2040-01-01T01:59:59+02:00","NotBefore":"2018-01-29T10:37:39+02:00","PublicKey":{"EncodedKeyValue":{"Oid":{"Value":"1.2.840.113549.1.1.1","FriendlyName":"RSA"},"RawData":"MIIBCgKCAQEA2BqsIz2ta3iKfrGs6vvHi0tBb+4qDv9NgY+oeLTWqC+73Qk40/zsrPcEw0Qt7XNvLXJXMlZv0UbietL7o/QvdAGV6DPVqJ1y1NTsRoT14P2++yEKxBLXWjvD3Em8seDkxcm840t6mY0J32UpsUx0M6Bj4h85CKnIoQmcpiSCBsbC87Lq2qdf7/ZdqmF8HCRD8tVbOk4xTWc+F01PBRPxSGGJ89BDEQ8QTMjVjQS9DvckNVDpUf2+t7U4akY1TW7DdCYmd2XpDsB/3SWt5ypQS9lfR4VchhGyDZ8BHuDWoEYYkkrHij1RBdBxk5Uho2LGulLvqINjEKedx1UaoOqpkwIDAQAB"},"EncodedParameters":{"Oid":{"Value":"1.2.840.113549.1.1.1","FriendlyName":"RSA"},"RawData":"BQA="},"Key":{"Key":{"Algorithm":{"Algorithm":"RSA"},"AlgorithmGroup":{"AlgorithmGroup":"RSA"},"ExportPolicy":0,"Handle":{"IsInvalid":false,"IsClosed":false},"IsEphemeral":true,"IsMachineKey":false,"KeyName":null,"KeySize":2048,"KeyUsage":16777215,"ParentWindowHandle":{"value":0},"Provider":{"Provider":"Microsoft Software Key Storage Provider"},"ProviderHandle":{"IsInvalid":false,"IsClosed":false},"UIPolicy":{"ProtectionLevel":0,"FriendlyName":null,"Description":null,"UseContext":null,"CreationTitle":null},"UniqueName":null},"LegalKeySizes":[{"MinSize":512,"MaxSize":16384,"SkipSize":64}],"KeyExchangeAlgorithm":"RSA","SignatureAlgorithm":"RSA","KeySize":2048},"Oid":{"Value":"1.2.840.113549.1.1.1","FriendlyName":"RSA"}},"RawData":"MIIDCjCCAfKgAwIBAgIQo4LkXeJ6P59KkkfL0p8VxzANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5FTUktSWRlbnRpdHlDTjAeFw0xODAxMjkwODM3MzlaFw0zOTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkVNSS1JZGVudGl0eUNOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2BqsIz2ta3iKfrGs6vvHi0tBb+4qDv9NgY+oeLTWqC+73Qk40/zsrPcEw0Qt7XNvLXJXMlZv0UbietL7o/QvdAGV6DPVqJ1y1NTsRoT14P2++yEKxBLXWjvD3Em8seDkxcm840t6mY0J32UpsUx0M6Bj4h85CKnIoQmcpiSCBsbC87Lq2qdf7/ZdqmF8HCRD8tVbOk4xTWc+F01PBRPxSGGJ89BDEQ8QTMjVjQS9DvckNVDpUf2+t7U4akY1TW7DdCYmd2XpDsB/3SWt5ypQS9lfR4VchhGyDZ8BHuDWoEYYkkrHij1RBdBxk5Uho2LGulLvqINjEKedx1UaoOqpkwIDAQABo04wTDBKBgNVHQEEQzBBgBCcxBaZl+0+3mpWe9mQZjgSoRswGTEXMBUGA1UEAxMORU1JLUlkZW50aXR5Q06CEKOC5F3iej+fSpJHy9KfFccwDQYJKoZIhvcNAQELBQADggEBAKFIT+sxBCDN7zIGt3mBxTk+Pl05zhKGs53nElykpt2CGSN9TD5uC3PdWw+Od4oHMOLUh0dE+W6qK5ZlJn5DbnbmV/F37592/BqH0R3GqTR/Z7S/k3cK7JTU3fFrnegvDn7VH3Zz1qb67voVQBlspChPymbK7terINNJvustZ3QntmAbw34/8kbCUYm+tZCLQH6BhlL9rxrYFfKj4WE6PP9rh+5vugn3yqDstY1NYaQ9XFWL7r45cKBGIZ+Q4n2fhtjeKSljQZ90JvVssY2cRrNHWU/yaLgCb2FDme/bjLWymYpzEPsHTYNEoKbTk6KIna+In2fbRaBXRA4OZZf4yJY=","SerialNumber":"A382E45DE27A3F9F4A9247CBD29F15C7","SignatureAlgorithm":{"Value":"1.2.840.113549.1.1.11","FriendlyName":"sha256RSA"},"SubjectName":{"Name":"CN=EMI-IdentityCN","Oid":{"Value":null,"FriendlyName":null},"RawData":"MBkxFzAVBgNVBAMTDkVNSS1JZGVudGl0eUNO"},"Thumbprint":"7A73F733060D8D146CB5BA85AA6CF23CBBA80567","Version":3,"Handle":{"value":1915378295952},"Issuer":"CN=EMI-IdentityCN","Subject":"CN=EMI-IdentityCN"}},{"HasPrivateKey":false,"PrivateKeyStatus":1,"KeySize":2048,"Parameters":{"D":null,"DP":null,"DQ":null,"Exponent":"AQAB","InverseQ":null,"Modulus":"2BqsIz2ta3iKfrGs6vvHi0tBb+4qDv9NgY+oeLTWqC+73Qk40/zsrPcEw0Qt7XNvLXJXMlZv0UbietL7o/QvdAGV6DPVqJ1y1NTsRoT14P2++yEKxBLXWjvD3Em8seDkxcm840t6mY0J32UpsUx0M6Bj4h85CKnIoQmcpiSCBsbC87Lq2qdf7/ZdqmF8HCRD8tVbOk4xTWc+F01PBRPxSGGJ89BDEQ8QTMjVjQS9DvckNVDpUf2+t7U4akY1TW7DdCYmd2XpDsB/3SWt5ypQS9lfR4VchhGyDZ8BHuDWoEYYkkrHij1RBdBxk5Uho2LGulLvqINjEKedx1UaoOqpkw==","P":null,"Q":null},"Rsa":null}],"subject_types_supported":["public"],"token_endpoint":"https://dev-login.euromonitor.com/connect/token","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"userinfo_endpoint":"https://dev-login.euromonitor.com/connect/userinfo","revocation_endpoint":"https://dev-login.euromonitor.com/connect/revocation","introspection_endpoint":"https://dev-login.euromonitor.com/connect/introspect","device_authorization_endpoint":"https://dev-login.euromonitor.com/connect/deviceauthorization","backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"code_challenge_methods_supported":["plain","S256"]}

[Dzoukr]

Most likely connected with #1124. I have the same issue with creating OpenIdConnectConfiguration from json (which is the same as provided on https://myidentityserveruri.com/.well-known/openid-configuration) where collections with keys are empty.

[mafurman]

@Francois-du-Plessis

Our OpenIdConnectConfiguration object has a SigningKeys property on it which is only meant to be populated from the 'jwks_uri' parameter value.

It seems like the JSON you're using has a 'SigningKeys' parameter, and by default JsonConvert was trying to deserialize the values associated with this parameter into the OpenIdConnectConfiguration.SigningKeys property (which is incorrect). I've just issued a PR which should fix this issue for you.

Since 'SigningKeys' is not one of the defined OpenIdConnect parameter values, you'll be able to find the value of this parameter on OpenIdConnectConfiguration.AdditionalData.

[bdebaere]

@mafurman If the SigningKeys property can only be populated from the 'jwks_uri', how would I be able to cache the metadata of the authentication scheme during Startup, so that a first request to the API does not have to be delayed by this?