AADSTS500126: External ID token from issuer '{issuer}' failed signature verification.

Question

AADSTS500126: External ID token from issuer '{issuer}' failed signature verification.

Tony Liang 5

Hi,

I've configured the external authentication method for Entra ID as outlined in the documentation. After successful authentication, our EAM system sends the ID token to https://login.microsoftonline.com/common/federation/externalauthproviderredirect. However, it appears that Entra ID is unable to verify the token, resulting in the following error:

Error: invalid_client

Error Description: AADSTS500126: External ID token from issuer '{issuer}' failed signature verification. KeyID of token is 'SigningKey'.

I’ve checked the token’s integrity on jwt.io, and it seems valid. Could you provide insights into why the token verification might be failing in Entra ID and any possible resolutions?

Thank you!

2 answers

Your answer

Answer 1

James Hamil 27,221 Microsoft Employee Moderator

Hi @Tony Liang , there are a few things that could be causing the problem:

Incorrect Signing Key: Double-check the signing key. The KeyID (kid) in your token's header needs to match the key Entra ID is expecting. Look at the kid value in your token header. Make sure the corresponding public key is available in the JWKS (JSON Web Key Set) endpoint from your external provider. Verify that this key is correctly set up in Entra ID.
Key Rotation: If your external provider has rotated keys recently, Entra ID might not have the latest key yet. Check if there’s been a recent key rotation. Make sure the new keys are updated and configured in Entra ID.
Mismatched Issuer or Audience: The iss (issuer) and aud (audience) claims in the token need to match what Entra ID expects. Look at the iss and aud claims in your token. Verify that these match what you’ve configured in Entra ID.
Make sure your token hasn’t expired. Check the exp claim in the token and confirm it’s still valid when Entra ID is verifying it.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Tony Liang 5 Reputation points

2024-10-29T02:57:21.9733333+00:00

Duplicated comment. please view below.
Tony Liang 5 Reputation points

2024-10-29T03:16:42.1566667+00:00
Hi @James Hamil . Thank you for your response. I have verified the issuer and kid of the signature against the OpenID configuration in the external authenticator settings, and they match. Additionally, we do not use key rotation.

Our ID provider returned the ID token in this format:

"aud": [ "d12ab068-4171-4767-ba2a-6c8f73c387c8", "https://external-auth-idp.demo-dev.com/default/" ]

The first value is the app and client ID for my app in Azure, and the second is the issuer name. Does this look correct to you?

From the error message, it appears that Entra is unable to verify the signature of the external ID token. Do you know where it's retrieving the public key from—is it via the jwks_uri in the OpenID configuration, or should I manually add the public key to my app as shown in the screen below?

Thank you for your help.
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2024-11-16T00:43:01.5233333+00:00

Hi @Tony Liang , sorry for the delay in response. It's hard to tell from the error, but have you tried testing it with the jwks_uri and by adding a public key?
Nicolas P 0 Reputation points

2025-01-09T13:35:34.64+00:00

Hello, I have exactly the same problem, any luck into solving it ?
Aaron Zhong 0 Reputation points

2025-01-24T08:15:16.5+00:00
Hi, I'm experiencing the same symptom as above. I have followed the documentation here https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#microsoft-entra-id-processing-of-the-provider-response to ensure that the https://login.microsoftonline.com/common/federation/externalauthprovider callback is called with the required fields state and id_token and that the id_token contains the required claims. An example of a decoded token is:

{ "header": { "alg": "RS256", "typ": "JWT", "kid": "38e33cd5-6eab-4476-a9d0-4c94a764da2a" }, "payload": { "sub": "ugw5KFdHsvG8nPRPiD7A3O7SJoTznzZP11dbJpk-dDE", "exp": 1737705424, "iss": "https://omitted.com", "aud": "ef782c27-b376-4f05-9020-1d6de4a2856e", "nonce": "AwABEgEAAAADAOz_BQD0_4vGd19MB7EnloiJ-uTH2YSYT7Ie6ZynOS0StIa8Nw-M1lBSIEEtfYV_MCarEE5wwBwH1V0T6p-fg93oJWBboHAgAA", "amr": ["fido"], "acr": "possessionorinherence", "iat": 1737704825 } }

I verified the following:

iss matches that configured in my configuration endpoint

sub matches the sub from the initial id_token_hint

aud is the application id of the eam application

nonce matches the nonce that was passed in the initial request

the header kid matches matches the kid in the jwks url and verified against https://jwt.davetonge.co.uk for validity

@James Hamil, are you able to clarify the statement "Verify that this key is correctly set up in Entra ID.", I do not see any documentation around how to do this.

Any help to point me in the right direction would be hugely appreciated. Thanks!

Answer 2

Nicolas P 0

We finally managed to get it working !

It seems that entra ID needs to have the JWKS encoded as such :

base64 url encoded without padding for all fields but the x5c field,
normal base64 for the x5c field.

Share via

AADSTS500126: External ID token from issuer '{issuer}' failed signature verification.

2 answers

Your answer