Issue with AzureAD Signature validation failed. Unable to match key

Mark England 25 Reputation points
2023-02-12T22:06:04.6966667+00:00

Getting the following Error.

|Category: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter
EventId: 0 SpanId: 299af6e738670e91 TraceId: 79100eb23f1abf3b293c284043c099b4
ParentId: 0000000000000000 RequestId: 80000019-0000-f800-b63f-84710c7967bb
RequestPath: /signin-oidc IDX10501: Signature validation failed. Unable to match
key: kid: 'BYnUfCamu_R22r3gifDUCcPDRrU'. Number of keys in
TokenValidationParameters: '16'. Number of keys in Configuration: '0'.
Exceptions caught: '[PII of type 'System.Text.StringBuilder' is hidden. For more
details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII of type
'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details,
see https://aka.ms/IdentityModel/PII.]'.| | -------- | ||

This is the web code.

        IdentityModelEventSource.ShowPII = true;
        builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, "AzureAd");
        builder.Services.AddRazorPages().AddMvcOptions(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                            .RequireAuthenticatedUser()
                            .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        }).AddMicrosoftIdentityUI();
       

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
698 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,826 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 29,761 Reputation points Microsoft Employee
    2023-02-15T04:50:00.8733333+00:00

    Hi @Mark England ,

    Thanks for reaching out and apologies for delay in response.

    The error message you provided is due to Microsoft Identity is not able to validate the signature of a JSON Web Token (JWT).

    It seems that the key used to sign the JWT cannot be found or matched with the key specified in the token.

    To Verify the JWT token:

    1. Verify that the JWT contains three segments, separated by two period ('.') characters.
    2. Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.
    3. Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

    To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
    You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration and verify against the private key generated by Azure AD token.

    If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.
    For validation, developers can also decode JWTs using jwt.ms

    In ASP.net core can check the token validation parameters and make sure that the 'IssuerSigningKeys' property contains the key used to sign the token.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration#token-validation

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.