AADSTS500033: There is an issue with the key 'RTlDMTY2Q0FCN0JFQzFFNThBNkJDQTFCMUJBQjYyNjFFMEEyOTRCNg'. It has both x5t and x5c values, but they do not match. Please make sure the x5t value is the Base64Url-encoded SHA-1 thumbprint of the first certificate

Question

Dear sir/madam,

I am trying to setup Microsoft Extra and trying to obtain access token request with a federated credential with an external oidc provider Auth0. I am referring to third scenario from the docs here. (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow)

For some reason, it still think that I am trying to setup scenario 2 - obtaining access token via certificate because I am getting the following error. The docs says the input/request for scenario 2 and 3 is the same - however after I have obtain my access token from Auth0 and place it in my client_assertion - this is what is see (below)

AADSTS500033: There is an issue with the key 'RTlDMTY2Q0FCN0JFQzFFNThBNkJDQTFCMUJBQjYyNjFFMEEyOTRCNg'. It has both x5t and x5c values, but they do not match. Please make sure the x5t value is the Base64Url-encoded SHA-1 thumbprint of the first certificate in x5c.

Sample of my request can be illustrated here

curl --location 'https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=my-client-id' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=<my-access-token>' \
--data-urlencode 'grant_type=client_credentials'

my-client-id has been setup for Federated Credential

Thank you for your help.

Answer 1

Hi @jeremy woo , the key you are using has both x5t and x5c values, but they do not match.

Based on the error message, it seems like you are still using the input/request for scenario 2 - obtaining access token via certificate. However, you should be using the input/request for scenario 3 - obtaining access token via client assertion.

To resolve this issue, you may want to double-check your request and ensure that you are using the correct input/request for scenario 3. You may also want to check if the x5t value is the Base64Url-encoded SHA-1 thumbprint of the first certificate in x5c.

Here is an example of a request for scenario 3 that you can refer to:

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd6RXpYT2N5c0hZd0ZfZV9w...
&scope=https://graph.microsoft.com/.default

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Answer 2

hi James,

Thank you for getting back to me. I found out that the JWT token that was issued by auth0 is slightly different, please note the kid field (in the attached image). This could the reason for my problem.

Then i tried using google jwt and i was able to get a token back from Microsoft Extra.