Share via

error verifying token using SSO OpenID

vic 0 Reputation points
2024-07-12T07:53:46.24+00:00

We are having some troubles using Microsoft Entra with one of our clients. When it tries to login using a SSO OpenID method it gets an error that it cannot verify id token signature. These are some points we have checked with the client:

  • Our client told us that they are using multi domain in Microsoft Entra.
  • They can login using SSO into other platforms.
  • The endpoints used to setup the OpenID SSO configuration are correct.
  • The secret and applicationID provided from Microsoft Entra are correct.

It only happens in one client, other clients using Microsoft Entra authentication can login into our platform.

I am thinking if they are using multi domain it cannot retrieve correct the id token, but I don't have any clue about that.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,518 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 1,600 Reputation points Microsoft Vendor
    2024-07-16T09:24:31.9266667+00:00

    Hello @vic,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems you are encountering an issue with the OpenID SSO method, specifically an error indicating it cannot verify the ID token signature. You've already confirmed that users can access other applications and endpoints configured with OpenID SSO, and you've verified the appID and client secret values.

    The error message typically occurs when the generated ID token signature is invalid or does not meet the expected format. To resolve this issue, please decode the token using jwt.io and verify if the generated ID token has a valid signature.

    I generated an ID token in my test tenant and decoded it using jwt.io. If the token has a valid signature, it will display "Signature Valid" as shown in the screenshot below:

    User's image

    If the ID token signature is not valid, jwt.io will indicate "Invalid Signature." Please review and confirm this information.

    The following JWT claims should be validated in the ID token after validating the signature on the token. Your token validation library may also validate the following claims:

    • Timestamps: the iat, nbf, and exp timestamps should all fall before or after the current time, as appropriate.
    • Audience: the aud claim should match the app ID for your application.
    • Nonce: the nonce claim in the payload must match the nonce parameter passed into the /authorize endpoint during the initial request.

    Please refer the below documents for reference.

    https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens

    https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc

    If the information provided did not resolve your issue, please share a screenshot of the error message for further assistance.

    Regarding your query about multi-domain usage in Microsoft Entrata: does this mean that users attempting to access the application come from different tenants? Or are multi-domain users also members within the same home directory? Could you please provide clarification on this?

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.