Bump System.IdentityModel.Tokens.Jwt from 6.5.0 to 6.34.0 in /src/Aut…

…h0.AuthenticationApi (#702) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Frederik Prijck <[email protected]>
auth0 · Jan 10, 2024 · 020e3fc · 020e3fc
1 parent 24a6502
commit 020e3fc
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj b/src/Auth0.AuthenticationApi/Auth0.AuthenticationApi.csproj
@@ -17,6 +17,6 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.5.0" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.5.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.34.0" />
   </ItemGroup>
 </Project>
diff --git a/src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs b/src/Auth0.AuthenticationApi/Tokens/SignedDecoder.cs
@@ -37,6 +37,10 @@ public JwtSecurityToken DecodeSignedToken(string token)
             }
             catch (SecurityTokenSignatureKeyNotFoundException ex)
             {
+                if (signatureAlgorithm == JwtSignatureAlgorithm.HS256)
+                {
+                    throw new IdTokenValidationException("Invalid token signature.", ex);
+                }
                 throw new IdTokenValidationKeyMissingException("Token signature key could not be found", ex);
             }
             catch (SecurityTokenException ex)

diff --git a/tests/Auth0.AuthenticationApi.IntegrationTests/Tokens/SymmetricSignedDecoderTests.cs b/tests/Auth0.AuthenticationApi.IntegrationTests/Tokens/SymmetricSignedDecoderTests.cs
@@ -9,12 +9,12 @@ namespace Auth0.AuthenticationApi.IntegrationTests.Tokens
 {
     public class SymmetricSignedDecoderTests : TestBase
     {
-        readonly SignedDecoder hs256Verifier = new SymmetricSignedDecoder("AUTH0_VALID_CLIENT_SECRET");
+        readonly SignedDecoder hs256Verifier = new SymmetricSignedDecoder("___AUTH0_VALID__CLIENT_SECRET___");
 
         [Fact]
         public void SucceedsWhenSignatureIsValid()
         {
-            var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("AUTH0_VALID_CLIENT_SECRET"));
+            var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("___AUTH0_VALID__CLIENT_SECRET___"));
 
             var tokenFactory = new JwtTokenFactory(key, SecurityAlgorithms.HmacSha256Signature);
 
@@ -26,7 +26,7 @@ public void SucceedsWhenSignatureIsValid()
         [Fact]
         public void ThrowsWhenSignatureIsInvalid()
         {
-            var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("AUTH0_INVALID_CLIENT_SECRET"));
+            var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("__AUTH0_INVALID__CLIENT_SECRET__"));
 
             var tokenFactory = new JwtTokenFactory(key, SecurityAlgorithms.HmacSha256Signature);