Azure AD-B2C error: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'
12,218
Solution 1
I was able to validate the token by passing the correct metadata endpoint. *
https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/.well-known/openid-configuration
*
Solution 2
I had to update my OpenIdConnectAuthenticationOptions.MetadataAddress to https://login.microsoftonline.com/tfp/{tenantId}/{policyId}/v2.0/.well-known/openid-configuration.
Author by
Rumpi Guha
Updated on June 26, 2022Comments
-
Rumpi Guha almost 2 years
I’m using Swagger to make API calls, for authentication I’m able to generate Bearer token but after that I' m getting 401 in response. After checking logs, below is the error:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'
My ConfigureAuth method is as below:
private static void ConfigureAuth(IAppBuilder app) { var metadataEndpoint = string.Format( configProvider.GetConfigValue<string>("ida:AadInstance", "AuthConfig"), configProvider.GetConfigValue<string>("ida:Tenant", "AuthConfig"), configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig")); string[] validAudiences = configProvider.GetConfigValue<string>("ida:Audiences", "AuthConfig").Split(','); TokenValidationParameters tvps = new TokenValidationParameters { ValidAudiences = validAudiences, AuthenticationType = configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"), ValidateAudience = true, ValidateIssuer = configProvider.GetConfigValue<bool>("validateIssuer", "AuthConfig"), ValidateLifetime = true, ValidAudience = configProvider.GetConfigValue<string>("Swagger:ClientId", "AuthConfig"), //NameClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier", }; //SecurityToken securityToken; //JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); app.UseOAuthBearerAuthentication( new OAuthBearerAuthenticationOptions { AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)), Provider = new OAuthBearerAuthenticationProvider() { OnRequestToken = (context) => { if (!string.IsNullOrEmpty(context.Token)) { } return Task.FromResult<int>(0); }, OnValidateIdentity = (context) => { ////TO DO //// Steps to perform after identity validation return Task.FromResult<int>(0); } } }); }
-
spottedmahn almost 6 yearsCan you source that?
-
Rumpi Guha almost 6 yearsSorry didn't understand , do you want me to put the complete code here ?
-
spottedmahn almost 6 yearsHi 👋 Rumpi - no, just how you figured that out? I assume some webpage?
-
Rumpi Guha almost 6 yearsHi, sorry I didn't get that in some web page, the security consultant in my team figured it out.
-
sirdank about 5 yearsI also had to update
TokenValidationParameters.ValidAudience