Issue with Long-Lived Token: "The signature key was not found" despite ValidateIssuerSigningKey = false

[kryptobi]

Dear Duende Support :-),

IdentityServer with the highest license tier, version 7.0.8.

As part of a specific implementation, we decided to issue long-lived access tokens (valid for more than 5 years). These tokens are generated via code, as shown below:

var client = await _clientStore.FindClientByIdAsync(scimClient.ClientId);

if (client == null)
{
   throw new Exception("Client not found");
}

var validatedRequest = new TokenCreationRequest
{
   ValidatedRequest = new ValidatedRequest
   {
      Client = client,
      ClientId = client.ClientId,
      AccessTokenLifetime = client.AccessTokenLifetime,
   },
   ValidatedResources = new ResourceValidationResult
   {
      Resources = new Resources(
         new List<IdentityResource>(),
         new List<ApiResource>(),
         client.AllowedScopes.Select(scope => new ApiScope(scope)).ToList())
   },
};

var token = await _tokenService.CreateAccessTokenAsync(validatedRequest);
token.Audiences.Add(client.ClientId);
token.Issuer = _configuration.GetPublicOrigin();

foreach (var scope in client.AllowedScopes)
{
   token.Claims.Add(new Claim("scope", scope));
}

var securityToken = await _tokenService.CreateSecurityTokenAsync(token);

return (securityToken, token.Lifetime, scimClient.ClientId);

The token is then validated in a resource API as follows:

services
   .AddAuthentication()
   .AddJwtBearer(tokenConfiguration.Name, options =>
   {
      options.Authority = tokenConfiguration.Authority;
      options.Audience = tokenConfiguration.ClientId;
      options.TokenValidationParameters = new TokenValidationParameters
      {
         ValidateIssuer = true,
         ValidIssuer = tokenConfiguration.Authority,
         ValidateLifetime = false,
         ValidateAudience = true,
         ValidAudience = tokenConfiguration.ClientId,
         ValidateIssuerSigningKey = false,
      };
   });

As you can see, ValidateIssuerSigningKey is explicitly set to false. Despite this, we repeatedly receive the following error response:

GET Response Status
Code: Unauthorized
Response Headers:
  Connection: keep-alive
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Date: Wed, 30 Apr 2025 05:49:49 GMT
  Server: nginx
  Www-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
Response Content: Please check the service.

This is the client configuration:

Id: 1
Enabled: 1
ClientId: customer:client
ProtocolType: oidc
RequireClientSecret: 1
ClientName: live
Description: (leer)
ClientUri: (leer)
LogoUri: (leer)
RequireConsent: 0
AllowRememberConsent: 1
AlwaysIncludeUserClaimsInIdToken: 0
RequirePkce: 0
AllowPlainTextPkce: 0
AllowAccessTokensViaBrowser: 0
FrontChannelLogoutUri: (leer)
FrontChannelLogoutSessionRequired: 0
BackChannelLogoutUri: (leer)
BackChannelLogoutSessionRequired: 0
AllowOfflineAccess: 0
IdentityTokenLifetime: 157788000
AccessTokenLifetime: 157788000
AuthorizationCodeLifetime: 157788000
ConsentLifetime: (leer)
AbsoluteRefreshTokenLifetime: 2592000
SlidingRefreshTokenLifetime: 1296000
RefreshTokenUsage: 0
UpdateAccessTokenClaimsOnRefresh: 1
RefreshTokenExpiration: 3600
AccessTokenType: 0
EnableLocalLogin: 0
IncludeJwtId: 0
AlwaysSendClientClaims: 0
ClientClaimsPrefix: client_
PairWiseSubjectSalt: (leer)
Created: 2025-02-04 06:45:55.350517
Updated: (leer)
LastAccessed: (leer)
UserSsoLifetime: (leer)
UserCodeType: (leer)
DeviceCodeLifetime: 0
NonEditable: 0
AllowedIdentityTokenSigningAlgorithms: (leer)
RequireRequestObject: 0
CibaLifetime: 0
PollingInterval: 0
CoordinateLifetimeWithUserSession: 00:00:00
RequireDPoP: (leer)
DPoPValidationMode: (leer)
DPoPClockSkew: 0
InitiateLoginUri: (leer)
PushedAuthorizationLifetime: (leer)
RequirePushedAuthorization: 0

Our question is: How can this error occur if ValidateIssuerSigningKey is disabled?

Is there something we may be missing in the token generation or validation pipeline that still requires the signature key?

Thank you in advance for your support.

Best regards,
Tobias Janssen

[AndersAbel]

First of all I need to point out that issuing JWTs with a lifetime of 5 years is something I would never recommend. JWTs are self-contained tokens and it is very rare that someone has implemented a revocation mechanism for them. That means that if a token is leaked, the only way to prevent misuse of it is to change the token signing keys which will affect all existing tokens.

If there is a need for long-lived tokens, our recommendation is to use reference tokens. We do have a sample on Personal Access Tokens that shows how to do that.

The "The signature key was not found" error message indicates that when validating the signature of the JWT, the signing key was not found. The JWT header contains a key id (kid). That key is used to validate the signature of the JWT. This is a must from a security point of view. The signing keys are loaded by default by the JWT handler by deriving a discovery document URL from the authority.

To troubleshoot please:

1. Take your JWT and decode it (e.g. using https://jwt.ms).
2. Check the kid from the header.
3. Open the discovery document on your IdentityServer (https://identityserver.example.com/.well-known/openid-configuration).
4. Navigate to the listed jwks_uri
5. Check that a key with the kid from step 2 is present.

The ValidateIssuerSigningKey setting indicates if the key itself should be validated or not. This is only relevant if the key is an X509 certificate. In that case, the validity time of the certificate is validated.

[kryptobi]

Based on the discussion above, it seems that using reference tokens is the most suitable approach in this case, especially since they do not rely on key rotation. This avoids issues related to missing signing keys or JWKS configuration.

Thanks again for the helpful input!