Share via

How to fix : AADSTS500126: External ID token from issuer '{issuer}' failed signature verification. KeyID of token is '{keyid}'.

vrk 15 Reputation points
2024-07-08T07:15:13.5+00:00

I am working on creating external authentication method using OpenID connect flow.

Now I am looking for the last step where the generated id_token from issuer need to verify by Microsoft Entra ID. However, I am getting the following error :

AADSTS500126: External ID token from issuer 'https://xxxx' failed signature verification. KeyID of token is 'xxxxxxx'.

Generating id_token using following params, what could be the issue, I tried verifying the id_token generated on https://jwt.io/ and https://jwt.davetonge.co.uk/ it shows signature verified.

Looking for help here to resolved the issue. Thank you.

$payload = [
            'iss' => "xxxx",
            'tid' => "xxxx",
            'aud' => "xxxx",
            'exp' => time() + 3600,
            'iat' => time(),
            'nbf' => time(),
            'sub' => $entra_data['sub'],
            'nonce' => $entra_data['nonce'],
            'acr' => $entra_data['acr'],
            'amr' => $entra_data['amr'],
            'name' => $user->name,
            'email' => $user->email,
            'preferred_username' => $user->email
        ];

        // Create the header
        $header = [
            'alg' => 'RS256',
            'typ' => 'JWT',
            'kid' => "xxxxxx"
        ];
        
        return $id_token = JWT::encode($payload, $privateKey, 'RS256', null, $header);
Microsoft Security | Microsoft Entra | Microsoft Entra ID

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-07-08T20:57:52.61+00:00

    Hi @vrk ,

    EAM feature is in public preview which means the support we offer is limited and we do not recommend deploying the feature in production. As best effort you can try these steps:

    1. Check that the configuration on our side is correct as per article How to manage an external authentication method (EAM) in Microsoft Entra ID (Preview) - Microsoft Entra ID | Microsoft Learn.
    2. Involve the 3rd party support team to check if configuration on their side is correct.
    3. If the configuration is correct on both parts please collect a Fiddler trace during the issue, reproduce it, and review the failed sign-in event.

    If you still face the issue, you can reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak | AADSTS500126") and include your subscription ID, the fiddler trace, and a link to this thread, and I can open a one-time free support case to look into this.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments
  2. Nicolas P 0 Reputation points
    2025-01-09T13:57:25.7133333+00:00

    @Marilee Turscak-MSFT : I have exactly the same problem, could you provide support as well ?

    I managed to create a service that seems to comply with EAM Integration, but I am stuck at the end.

    I am redirected to the client app callback with a query that contains an error :

    https://app.pocct1.stormshieldcs.eu/callback?error=invalid_client&error_description=AADSTS500126%3a+External+ID+token+from+issuer+%27https%3a%2f%2feam.pocct1.stormshieldcs.eu%27+failed+signature+verification.+KeyID+of+token+is+%271%27.+Trace+ID%3a+04d6acdd-042e-46ea-94b7-16d764bda200+Correlation+ID%3a+3c60b6c4-b47e-46f3-a6d1-e29dd3536e86+Timestamp%3a+2025-01-09+13%3a52%3a37Z&state=H8Kag2LT7mqpMx62SxNxMw#

    I checked the provided token on https://jwt.davetonge.co.uk/ and it proves to be ok.

    It seems that is not the signature that is causing problem.

    The raw token is :

    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJpc3MiOiJodHRwczovL2VhbS5wb2NjdDEuc3Rvcm1zaGllbGRjcy5ldSIsImF1ZCI6IjkyODRlNjZmLThlMTYtNDBmZC05OTU4LTdiNDljN2I3MDE1NiIsImV4cCI6MTczNjQzNDM1NSwiaWF0IjoxNzM2NDMwNzU1LCJzdWIiOiJuZ3RRQ19iX00xYlhpNWt3enJ4V1YwNHBXYlhqZ0czWGdWaEo1VVQydjJrIiwibm9uY2UiOiJBd0FCRWdFQUFBQURBT3pfQlFEMF81QWJ2QmxQbUI5RTU5Y09ZS000MjVuaHh6Y1c0YmJZdUE2bHZrWk5mMmVwaF9yLXR1ZEEydWdNbHZ0djFLNUpCVmROdjc4TWJUdUVMdENPTzAzWkJzNGdBQSIsImFjciI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwb3NzZXNzaW9ub3JpbmhlcmVuY2UiXX0sImFtciI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwb3AiXX19.chu7W2uMV1hUsj2rLuzIjH4ZnG3FTTG1kTHvWU4YMCinQ4RB3tI76ZYtcaw-AwBy6z8hoyaevX5zqsyFbvhN0ThZUKKwRMY6zcCeD2nihAQeQ5J915YhgpCixJXRUGspyh2s-D18kEgDgIbNNg5S46STZeXGfouVzadm3dck0eksGSWcKcNcOsfmqx_c56tPEQ_kOpHV1RLYA4Wj1qwsU7id9X_Jzz8PIiLGRPIqVMQd6MZ4Wx08ZNQHcfl4Xzuv6FdWq37EB_ZZI_LQ3FJhvczrDyWTh0MnW0s6gcCdXGarCMUa0NAikYGxkuBIBztEwu80_5Ntpw5zR-ov_MK6nA

    The decoded token is like :

    {

    "iss": "https://eam.pocct1.stormshieldcs.eu",

    "aud": "9284e66f-8e16-40fd-9958-7b49c7b70156",

    "exp": 1736434355,

    "iat": 1736430755,

    "sub": "ngtQC_b_M1bXi5kwzrxWV04pWbXjgG3XgVhJ5UT2v2k",

    "nonce": "AwABEgEAAAADAOz_BQD0_5AbvBlPmB9E59cOYKM425nhxzcW4bbYuA6lvkZNf2eph_r-tudA2ugMlvtv1K5JBVdNv78MbTuELtCOO03ZBs4gAA",

    "acr": {

    "essential": true,

"values": [

  "possessionorinherence"

]

    },

    "amr": {

    "essential": true,

"values": [

  "pop"

]

    }

    }

    0 comments
  3. Martin van Es 0 Reputation points
    2025-01-20T16:28:13.5233333+00:00

    For what it's worth, I'm seeing the exact same problem with a valid id_token, valid signature according to https://jwt.davetonge.co.uk/

    But the error now looks like this:

    External ID token from issuer '{issuer}' failed signature verification. KeyID of token is '{identifier}'.

    So there seems to be a placeholder replacement problem in Microsoft's code. At least for the logging, but I suspect the same problems in their code.

  4. Martin van Es 0 Reputation points
    2025-03-03T15:24:20.57+00:00

    I was finally able to make this work by meticulously crafting my jwks endpoint. Due to very lazy refreshing of this endpoint I'm not sure about the minimal requirements, but I can make it work with these contents:

    {
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "IZxCBVoIuRGa8wapBxtLa-A42KM=" (SHA1 fingerprint of the x5c chain)
      "alg": "RS256",
      "x5c": [
        "MIIFezCC..." (PEM encoded self-signed cert, without the PEM postfix/prefix lines)
      ],
      "e": "AQAB",
      "n": "oLvdu..."
    }
  ]
}

    For some reason, it looks lke the Microsoft is expecting a x5c certificate chain and/or a strict usage of the urlsafe/base64encoded SHA1 fingerprint of this certificate as the kid. Make sure your token correctly references this kid.

    And, as said: when you start experimenting and debugging this, be warned that MS caches the jwks endpoint for ver long times.

    Hope this helps

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.