Duende IdentityServer, the Microsoft external authentication handlers and other libraries all use the Microsoft.IdentityModel set of libraries. These libraries provides token and configuration handling features. The functionality is split up between different libraries and they all need to be exactly the same version. However this is not enforced by Nuget so it is common to end up with an application that brings in different versions of Microsoft.IdentityModel.* through transitive dependencies.
Errors that we have seen because of IdentityModel version mismatches include:
Run this command in powershell: dotnet list package --include-transitive | sls "Microsoft.IdentityModel|System.IdentityModel"
The output should look something like this:
> Microsoft.IdentityModel.Abstractions 7.4.0
> Microsoft.IdentityModel.JsonWebTokens 7.4.0
> Microsoft.IdentityModel.Logging 7.4.0
> Microsoft.IdentityModel.Protocols 7.0.3
> Microsoft.IdentityModel.Protocols.OpenIdConnect 7.0.3
> Microsoft.IdentityModel.Tokens 7.4.0
> System.IdentityModel.Tokens.Jwt 7.0.3
In the above example it is clear that there are different versions active.
To fix this, add explicit package references to upgrade the packages that are of lower version to the most recent version used.
<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="7.4.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.4.0" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.4.0" />