Azure B2C OpenID external IDP ItsMe AADB2C90239: The provided token failed signature validation

briac texier 6 Reputation points
2022-04-20T11:04:57.21+00:00

Hello,

I'm trying to integrate Azure B2C with an external openID identity Provider called ItsMe : https://oidc.e2e.itsme.services/clientsecret-oidc/csapi/v0.1/.well-known/openid-configuration
I followed the steps described here : https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-itsme
Our external provider is configured with the following redirect-url : https://[tenantname].b2clogin.com/[tenantname].onmicrosoft.com/oauth2/authresp

But when I either runthe User Flows or my Custom Flow, I always receive the same error :
AADB2C90239: The provided token failed signature validation. Please provide another token and try again.

I added application insight to try to get more information, and the error occurs in step 2 with :

"Kind": "HandlerResult",  
"Content": {  
  "Result": true,  
  "RecorderRecord": {  
    "Values": [  
      {  
        "Key": "SendErrorTechnicalProfile",  
        "Value": "OpenIdConnectProtocolProvider"  
      },  
      {  
        "Key": "Exception",  
        "Value": {  
          "Kind": "Handled",  
          "HResult": "80131500",  
          "Message": "The provided token failed signature validation. Please provide another token and try again.",  
          "Data": {  
            "IsPolicySpecificError": false  
          },  
          "Exception": {  
            "Kind": "Handled",  
            "HResult": "80131501",  
            "Data": {}  
          }  
        }  
      }  
    ]  
  },  

The step 2 being :

My Technical profile looks like this :

I'm currently out of ideas... I was hoping to see the actual reponse from the external provider using application insight, but I couldn't find anything usuful...
Any help would be greatly appreciated...
Thanks !

Briac

Community Center | Not monitored
{count} votes

2 answers

Sort by: Most helpful
  1. briac texier 6 Reputation points
    2022-06-01T13:26:50.423+00:00

    Problem solved!

    It was confirmed by Microsoft support team, that the algorithm used to validate the token must be the same as the authentication method.

    In our case, we were using a client_secret (symmetric keys) to authenticate to the token endpoint, but the returned ID token was signed using a public key (asymmetric keys).

    This is not supported by Azure B2C.

    ItsMe switched the token signature algorithm (HS256), and now, B2C is able to validate the token's signature using the client secret.

    Briac

    1 person found this answer helpful.

  2. Eric VNH 1 Reputation point
    2022-06-14T09:09:02.567+00:00

    Hi Briactexier-1404 !

    I suppose you are from Belgium too :)

    I'm working on a Xamarin.forms Android/Ios solution with Azure ADB2C and Itsme.

    I use too a custom policy and all is working fine, but when I click on the Signin button in my Xamarin app, the Itsme page appears on screen as a web site. I have to encode my phone number, then to open manually the Itsme app, valid the connection, and finally i have to go back manually in my app to complete the flow.

    At this step, the itsme flow is ok, but i can't manage to open directly the Itsme app when I click on the Signin button in my app.

    In fact, the behavior is the same as a classic website on PC...

    Have you succeeded in your Itsme integration in your mobile app ?

    Thank you in advance,

    Eric


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.