SecurityTokenInvalidIssuerException on Status / GetInstance calls in Azure Durable Functions SDK

[steventmayer]

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.
Microsoft.Identity.ServiceEssentials.AspNetCore 1.31.1 which uses System.IdentityModel.Tokens.Jwt, Version=6.35.0.0

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• [X ] S.IM.Tokens.Jwt
• Other (please describe)
  Believe it's S.IM.Tokens but unsure.

Is this a new or an existing app?
Existing app

Impact
When using Azure Durable functions, there are two ways to get the current status of the running job: webhooks api, and using the functions SDK GetInstance call. If you use either of these, it will throw a Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException error with TokenValidationFailed event. The call still passes; however, it will fill the logging directory with these errors.

Repro steps
Create any NET 8/NET 9 durable function with a simple HttpTrigger (Ignore auth on the HTTP Trigger for now)
Create an OrchestrationTrigger that just returns CompletedTask
In the HttpTrigger, schedule the orchestration trigger using ScheduleNewOrchestrationInstanceAsync
return a CreateCheckStatusResponse with the instanceId created above
Call the returned Status. It has the following format: {url of function}/runtime/webhooks/durabletask/instances/{guid}?code=_____
It is most likely the Code part flagging, even if you include a JWT because this is the function runtime call.

Second way that doesn't use Code:
Create any NET 8/NET 9 durable function with a simple HttpTrigger (Ignore auth on the HTTP Trigger for now)
Call GetInstanceAsync(randomGuid);
This doesn't use a code from what I can see, but will still throw the same exception.

Expected behavior
Errors should not occur on GetInstancesAsync as I don't believe it uses Code underneath.

Actual behavior
Throws Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException:
at Microsoft.Extensions.DependencyInjection.ScriptJwtBearerExtensions.IssuerValidator

Additional context / logs / screenshots / links to code
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException:
at Microsoft.Extensions.DependencyInjection.ScriptJwtBearerExtensions.IssuerValidator (Microsoft.Azure.WebJobs.Script.WebHost, Version=4.1036.0.0, Culture=neutral, PublicKeyToken=null: /_/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs:152)
at Microsoft.IdentityModel.Tokens.Validators+d__7.MoveNext (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignatureAndIssuerSecurityKey (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)

[jennyf19]

@steventmayer curious why you are on 6.35 version of IdentityModel, you should be on 8.3.0 by default, do you have a reference to 6.35 in your code somewhere? that could be the issue, you need to have everything on the same IdentityModel version. Feel free to ping me if you want.

[steventmayer]

@jennyf19 I'm also very curious about that. The application is using 8.3.0 across the board for all IdentityModel packages, and the runtime is set to NET 8 Isolated. This is happening across multiple Azure Function Apps, including able to reproduce locally. I will dig further into this - thank you for spotting that as it's most likely the problem.

[steventmayer]

@jennyf19 I’m going to need to dig deeper, as it occurs on a fresh project as well. Possibly an issue with the durable function framework. I’ll reopen if I’m able to reproduce is caused by IdentityModel. Thanks!