@@ -581,14 +581,27 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool
581581 user = "" ;
582582 var jwksUrl = "" ;
583583 var kid = jwtSecurityToken . Header [ "kid" ] . ToString ( ) ;
584+ var clientHandler = new HttpClientHandler { DefaultProxyCredentials = CredentialCache . DefaultCredentials } ;
585+ using var httpClient = new HttpClient ( clientHandler ) ;
586+
584587 if ( kid != null )
585588 {
586589 jwksUrl = SecurityHelper . FindServerJwksUrl ( kid , iss , out domain ) ;
587590 }
588- if ( ! jwksUrl . IsNullOrEmpty ( ) )
591+ if ( jwksUrl . IsNullOrEmpty ( ) )
592+ {
593+ var openIdConfig = httpClient . GetStringAsync ( $ "{ iss } /.well-known/openid-configuration") . Result ;
594+ var openIdConfigJson = JsonDocument . Parse ( openIdConfig ) ;
595+
596+ string jwksUri = $ "{ iss } /jwks";
597+ if ( openIdConfigJson . RootElement . TryGetProperty ( "jwks_uri" , out var propJwksUri ) )
598+ {
599+ jwksUri = propJwksUri . GetString ( ) ;
600+ }
601+ }
602+
603+ try
589604 {
590- var clientHandler = new HttpClientHandler { DefaultProxyCredentials = CredentialCache . DefaultCredentials } ;
591- using var httpClient = new HttpClient ( clientHandler ) ;
592605 var jwksJson = httpClient . GetStringAsync ( jwksUrl ) . Result ;
593606 var jwks = new JsonWebKeySet ( jwksJson ) ;
594607 var signingKeys = jwks . GetSigningKeys ( ) ;
@@ -611,11 +624,12 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool
611624 }
612625 catch ( Exception ex )
613626 {
627+ _logger . LogError ( $ "Error in validation of token { bearerToken } : { ex . Message } .") ;
614628 }
615629 }
616- else
630+ catch ( Exception ex )
617631 {
618-
632+ _logger . LogError ( $ "Error in loading jwks from { jwksUrl } : { ex . Message } ." ) ;
619633 }
620634 }
621635 }
0 commit comments