Share via

Issue with AzureAD Signature validation failed. Unable to match key

Anonymous
2023-02-12T22:06:04.6966667+00:00

Getting the following Error.

|Category: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter
EventId: 0 SpanId: 299af6e738670e91 TraceId: 79100eb23f1abf3b293c284043c099b4
ParentId: 0000000000000000 RequestId: 80000019-0000-f800-b63f-84710c7967bb
RequestPath: /signin-oidc IDX10501: Signature validation failed. Unable to match
key: kid: 'BYnUfCamu_R22r3gifDUCcPDRrU'. Number of keys in
TokenValidationParameters: '16'. Number of keys in Configuration: '0'.
Exceptions caught: '[PII of type 'System.Text.StringBuilder' is hidden. For more
details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII of type
'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details,
see https://aka.ms/IdentityModel/PII.]'.| | -------- | ||

This is the web code.

        IdentityModelEventSource.ShowPII = true;
        builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, "AzureAd");
        builder.Services.AddRazorPages().AddMvcOptions(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                            .RequireAuthenticatedUser()
                            .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        }).AddMicrosoftIdentityUI();
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Identity Manager
0 comments
Answer accepted by question author
  1. Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator
    2023-02-15T04:50:00.8733333+00:00

    Hi @Anonymous ,

    Thanks for reaching out and apologies for delay in response.

    The error message you provided is due to Microsoft Identity is not able to validate the signature of a JSON Web Token (JWT).

    It seems that the key used to sign the JWT cannot be found or matched with the key specified in the token.

    To Verify the JWT token:

    1. Verify that the JWT contains three segments, separated by two period ('.') characters.
    2. Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.
    3. Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

    To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
    You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration and verify against the private key generated by Azure AD token.

    If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.
    For validation, developers can also decode JWTs using jwt.ms

    In ASP.net core can check the token validation parameters and make sure that the 'IssuerSigningKeys' property contains the key used to sign the token.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration#token-validation

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prithvi Singh 0 Reputation points
    2025-11-05T13:49:43.5+00:00

    Hi Sweta,

    Good day!!

    Now getting below error -

     IDX10241: Security token validated. token: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

    Please provide solutions.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.