Azure Identity Authentication error "invalid signature" with React + Core Web API

Question

Anyone know how I can go about finding out why I receive the following error:

Exception thrown: 'Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException' in System.Identity.Model.Tokens.Jwt.dll

I'm building a React single page app that uses the MSAL.js to authenticate with Azure Identity (Single-tenant). It works when I try to use MS Graph etc. However, when I try to call my own .Net Core Web API it throws the above error. I tried following many guides on how to register the two apps. I believe I followed them properly. However, I couldn't find one that was specifically for my scenario e.g. React SPA + MSAL.js + .Net Core Web API + Single-Tenant. I exposed the API and added the scope and granted the permissions to the API etc... I snuffed the access token and put it into jwt.io, and it too says signature invalid. I'm not sure what else to try.

Any suggestions at all on what to look for next would be greatly appreciated.

Answer 1

@jpro1001, Thank you for reaching out. Looking at the error thrown "Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException", it usually comes up, when the API fails to validate the token's signature after the token is issued by AAD and the app submits that token to the API in its request. As you mentioned that for Graph API things works fine, and just for your custom API it fails, I guess, your api code is missing the signature validation section.

When we perform a token validation, we usually check for the following:

• Audience: The token is targeted for the web API.
• Sub: It was issued for an app that's allowed to call the web API.
• Issuer: It was issued by a trusted security token service (STS).
• Expiry: Its lifetime is in range.
• Signature: It wasn't tampered with.

Now among these, for the signature validation, you can find the details mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration#what-defines-aspnet-and-aspnet-core-apis-as-protected

I guess this part is missing in the code and hence your application is throwing that error.

You can also check the following article that speaks about the signature validation steps:

https://blogs.aaddevsup.xyz/2019/03/using-jwt-io-to-verify-the-signature-of-a-jwt-token/

Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

You can take a look at this sample, though the Web API is written using ASP .Net, but I feel it would get you a fair understanding on how to get the custom apis protected with AAD.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.