-
Notifications
You must be signed in to change notification settings - Fork 420
IDX10720
If you receive the following exception such as: `"IDX10720: Unable to create KeyedHashAlgorithm for algorithm 'SHA256', the key size must be greater than: '256' bits, key has '128' bits. See https://aka.ms/IdentityModel/UnsafeRelaxHmacKeySizeValidation".
This means that you have specified to use HMAC256 as a crypto algorithm, but you have provided a key for this algorithm that is shorter than required. This means that you are less secure than you think!.
The numbers and name of the algorithm can vary. See: https://datatracker.ietf.org/doc/html/rfc7518#section-3.2 for details.
In Microsoft.IdentityModel 6.x we have fixed this security issue to ensure security is at the desired level. This ensures you conform with the specification.
If you receive this exception the best practice is to increase the size of your key with the suggested number of bits.
If you really cannot act immediately, you can set a feature flag to bypass this security check. We encourage you to address the root cause as soon as possible. To set this feature flag:
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over