-
Notifications
You must be signed in to change notification settings - Fork 420
IDX10720
If you receive the following exception such as:
"IDX10720: Unable to create KeyedHashAlgorithm for algorithm 'SHA256', the key size must be greater than: '256' bits, key has '128' bits. See https://aka.ms/IdentityModel/UnsafeRelaxHmacKeySizeValidation", this means that you intend to use a 256 bits crypto algorithm, but you have provided a key for this algorithm that is shorter than the expected length of keys. This means that you are less secure than you think!.
The numbers and name of the algorithm can vary.
In Microsoft.IdentityModel 6.x we have fixed a security issue to prevent that doing that, as you are not as secured as you should be. This is conformat with the standard.
If you receive this exception you should really pass a key with the right number of bits.
If you really cannot act immediately, you can set a feature flag to bypass this security check, but should plan to fix the root cause as soon as possible. To set this feature flag:
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over