Azure AD-B2C error: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'

12,218

Solution 1

I was able to validate the token by passing the correct metadata endpoint. *

https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/.well-known/openid-configuration

Solution 2

I had to update my OpenIdConnectAuthenticationOptions.MetadataAddress to https://login.microsoftonline.com/tfp/{tenantId}/{policyId}/v2.0/.well-known/openid-configuration.

12,218

Author by

Rumpi Guha

Updated on June 26, 2022

Comments

Rumpi Guha almost 2 years

I’m using Swagger to make API calls, for authentication I’m able to generate Bearer token but after that I' m getting 401 in response. After checking logs, below is the error:

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: 
kid: '[PII is hidden]', 
token: '[PII is hidden]'

My ConfigureAuth method is as below:

private static void ConfigureAuth(IAppBuilder app)
{
    var metadataEndpoint = string.Format(
        configProvider.GetConfigValue<string>("ida:AadInstance", "AuthConfig"),
        configProvider.GetConfigValue<string>("ida:Tenant", "AuthConfig"),
        configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"));

    string[] validAudiences = configProvider.GetConfigValue<string>("ida:Audiences", "AuthConfig").Split(',');
    TokenValidationParameters tvps = new TokenValidationParameters
    {
        ValidAudiences = validAudiences,
        AuthenticationType = configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"),
        ValidateAudience = true,
        ValidateIssuer = configProvider.GetConfigValue<bool>("validateIssuer", "AuthConfig"),
        ValidateLifetime = true,
        ValidAudience = configProvider.GetConfigValue<string>("Swagger:ClientId", "AuthConfig"),
        //NameClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier",
    };

    //SecurityToken securityToken;
    //JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
    app.UseOAuthBearerAuthentication(
        new OAuthBearerAuthenticationOptions
         {
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)),
            Provider = new OAuthBearerAuthenticationProvider()
            {
                OnRequestToken = (context) =>
                {
                    if (!string.IsNullOrEmpty(context.Token))
                    {
                    }

                    return Task.FromResult<int>(0);
                },
                OnValidateIdentity = (context) =>
                    {
                        ////TO DO
                        //// Steps to perform after identity validation

                        return Task.FromResult<int>(0);
                    }
            }
        });
}

spottedmahn almost 6 years

Can you source that?
Rumpi Guha almost 6 years

Sorry didn't understand , do you want me to put the complete code here ?
spottedmahn almost 6 years

Hi 👋 Rumpi - no, just how you figured that out? I assume some webpage?
Rumpi Guha almost 6 years

Hi, sorry I didn't get that in some web page, the security consultant in my team figured it out.
sirdank about 5 years

I also had to update TokenValidationParameters.ValidAudience