RS256 token validation failure

This topic has 3 replies, 3 voices, and was last updated 4 years, 7 months ago by Testing1562.

  • Author
  • #21015

    I am posting here because I’m trying to pinpoint a problem happening only with ForgeRock.

    We have an app that uses Google as an Authorization Server using OIDC. We are trying to add ForgeRock as an Authorization Server for one of our client.

    OIDC works fine, we connect and login to ForgeRock using our JavaScript client, get an id_token and can validate it in our JavaScript library and on JWT.IO.

    However, every ForgeRock tokens fail validation in our .NET/C# server – note that our server code works just fine when validating Google tokens.

    I was able to drill down the problem to the RSA/SHA256 validation where C# internals use the RSACryptoServiceProvider class and describe the issue in details here (

    The OIDC configuration from Google is this:

     "issuer": "",
     "authorization_endpoint": "",
     "token_endpoint": "",
     "userinfo_endpoint": "",
     "revocation_endpoint": "",
     "jwks_uri": "",
     "response_types_supported": [  "code",  "token",  "id_token",  "code token",  "code id_token",  "token id_token",  "code token id_token",  "none" ],
     "subject_types_supported": [  "public" ],
     "id_token_signing_alg_values_supported": [  "RS256" ],
     "scopes_supported": [  "openid",  "email",  "profile" ],
     "token_endpoint_auth_methods_supported": [  "client_secret_post",  "client_secret_basic" ],
     "claims_supported": [  "aud",  "email",  "email_verified",  "exp",  "family_name",  "given_name",  "iat",  "iss",  "locale",  "name",  "picture",  "sub" ],
     "code_challenge_methods_supported": [  "plain",  "S256" ]

    our client has these entries:

    "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A256CBC-HS512"],
    "acr_values_supported": [],
    "id_token_encryption_alg_values_supported": ["RSA1_5"],
    "id_token_signing_alg_values_supported": ["ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512"],

    Any ForgeRock people here ever had trouble validating tokens in a .NET/C# app? Could it be caused by something missing in ForgeRock hashing algorithm/token signature configuration?



    It happened to me when my token had an extra \r or \l right at the end. Removing that very last char resulted in successful validation.





Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?