IdentityServer3 dependency conflict with Okta's SDK #235
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Describe the bug?
I have a solution that I was tasked to update from .NET Framework 4.6 to 4.8 (can't go any higher than that). We also need to add Okta as an auth method.
The solution has with multiple projects and it already uses an Identity Server bearer token authentication method, that needs to work in tandem with Okta. I have already done this using authorization filters in a previous solution that I also had to update/add Okta to.
But the problem I am having is that Okta's SDK, or more precisely, the dependencies it requires to work, are completely incompatible with Identity Server 3 and its dependencies.
Here are constraints of the Okta SDK (Package: Okta.AspMvc):
I have set up an Okta auth project and added this exact dependencies and versions. In the other projects of my solution, I have older versions of this packages. Some examples:
System.IdentityModel.Tokens.Jwt v4.0.4.4030
Microsoft.Owin.Security.Jwt v3.1.0
IdentityServer3.AccessTokenValidation v2.15.0
Microsoft.AspNet.Identity.Owin v2.2.1
The solution, then, seems simple enough: either downgrade Okta's SDK to a version that works with the older packages, or (the correct one) upgrade all of the other packages in your solution. However, this has proven not to be the case, as neither of this approaches seem to work. Here's what happened:
Downgrading Okta: even the oldest version of the SDK has the exact same package constraints as the ones in the picture I attached earlier. Any version of the package requires the same versions of its dependencies,so there's no downgrading Okta.
Upgrading everything else: the most intuitive solution, and yet the most baffling. Upgrading every single dependency to its latest, even matching the versions to those found in the Okta auth project, will still throw the following error:
Could not load type 'System.IdentityModel.Tokens.TokenValidationParameters'
from assembly 'System.IdentityModel.Tokens.Jwt, Version=6.17.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35'
This TokenValidationParameters class it's being used in my Authorization filter to check the correctness of the Okta token I am getting. Here's a sample of that code:
var validationParameters = new TokenValidationParameters
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = false,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = signingKeys,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(2)
};
Deleting this code of course does nothing, since the problem it's with a dependency inconsistency and not with the code itself. Deleting those lines will still produce the same error.
However, there should be no dependency inconsistency, since now all versions match.
I did find this Github issue opened in the AspNetKatana repository that seems to indicate that even if all packages in all of your projects are correctly updated, you may still get this error in your solution if you're using IdentityServer3.AccessTokenValidation, since it gets "stuck with an old dependency on Microsoft.Owin.Security.Jwt 3.0.1". I cannot prove that the commenters are correct, but it would make sense they are, given the situation I am in.
So even if I update my packages, IdentityServer3 will remain holding on to older versions.
Which would then take me to solution number 3:
Has anyone ever encountered this issue? Or anyone has any idea on how to fix it?
As a side note, I would've asked on the IdentityServer3 Github, but the repo has been made read only.
What is expected to happen?
Okta works with IdentityServer3
What is the actual behavior?
It does not work in conjunction with IdentityServer3.
Reproduction Steps?
Described above
Additional Information?
No response
.NET Version
Framework 4.8
SDK Version
3.2.2
OS version
No response
The text was updated successfully, but these errors were encountered: