[Bug] Unknow reasons for Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys #2695
Description
Hi, team
We use WebAuth, but we found exception from Microsoft.identity.ServiceEssentials.Core.
This case is pretty rare. Also, we found other team encounter such exceptions. (In their cases, they also encounter such issue, and the probability also rare)
Once the little probability exception happened, it will bring catastrophic result.
Package reference chain:
WebAuth -> MISE -> SAL -> Wilson (Exception happened here)
Error Msg
Message: 'MISE12018: MiseHost (1.22.2.0): MISE12014: The request failed with exception: Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: (layer1)
Component: AuthenticationTicketProvider:1.22.2.0
CorrelationId:8225b67f-b9a6-44b9-aaa6-b7503f1a13aa
Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: MISE12034: AuthenticationTicketProvider (layer1)Name:AuthenticationTicketProvider, GetVersion:1.22.2.0.
---> System.AggregateException: S2S12096: Microsoft.IdentityModel.S2S.S2SAuthenticationManager caught exceptions when validating the token. See AuthenticationResult.InboundPolicyEvaluationResults for additional details. (S2S12086: An exception has been caught while validating the request applying the policy with id : 'c3a6fb3d-2f0a-4e6b-858a-406bbb4c6fdc'. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context))
---> Microsoft.IdentityModel.S2S.S2SAuthenticationException: S2S12086: An exception has been caught while validating the request applying the policy with id : 'c3a6fb3d-2f0a-4e6b-858a-406bbb4c6fdc'. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)
---> Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)
at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Microsoft.Identity.ServiceEssentials.MiseHost`1.AuthenticateRequestAsync(TMiseContext context, CancellationToken cancellationToken)
at Microsoft.Identity.ServiceEssentials.MiseHost1.HandleAsync(TMiseContext context, IReadOnlyCollection1 modules, CancellationToken cancellationToken). (8225b67f-b9a6-44b9-aaa6-b7503f1a13aa). ' dict: {"source":"ms-assignment"}
Places that would produce such exceptions
Similar Issue in stackoverflow
https://stackoverflow.microsoft.com/questions/361215
This is not correct for our cases -
for our case, the tokens should be expected valid tokens. we didn't touch our auth logic, our app and only one VM, actually one agent failing
(we have many VM, share same token, but only 1 failed)