Microsoft Entra On-Behalf-Of giving error AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.

Question

Microsoft Entra On-Behalf-Of giving error AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.

Riley Bolen 20

I am trying to implement the On-Behalf-Of flow so that I can make requests from a PHP web API to load data from a Snowflake database. I have been stuck on this error message for days now, and I am running out of things to try. I will include as much detail as I can here, so please bear with me. I have 2 APIs registered in Entra; a client API and an API that lets a user connect to a Snowflake database. I will follow the OBO documentation and call the client one API A, and the data one API B. app-reg

In API B, I configured a scope access_as_user and authorized the client for this scope. expose-api

Under Token Configuration for API B I added Optional Claims for acct, acrs, aud, and upn. I also created a new Client Secret under Certificates and Secrets for API B. Then, for the client API A, I added the previously created scope from API B to the API Permissions: Screenshot 2024-02-10 at 7.33.00 AM

I also created a new Client Secret for API A. I am able to complete the authorization code grant flow as shown in the docs here by calling /authorize in a web browser, logging in with my Microsoft credentials, taking the code from the response, and redeeming it for an access token by calling /token in Postman, like so: Token-A-Request

which gives me a successful response: Token A Response

I believe that this access_token is what the OBO docs refer to as "Token A". I then take this token, and make a request to the /token endpoint for API B, like so: Frame 1

Which gives me the error response: token-b-response

I have been stuck on this error for days now, and nothing that I have done seems to fix it. I should mention, that I was able to successfully authenticate directly with API B usnig the authorization code grant flow, and load the data from my Snowflake API in this way, so it seems that this API is properly configured, but now I need to get the OBO flow working. Please help me!

Accepted answer

0 additional answers

Your answer

Answer 1

Akhilesh Vallamkonda 12,975 Microsoft External Staff

Hi @Riley Bolen

Thank you for post!

For your query, I understand that you are getting error AADSTS50013: Assertion failed signature validation. [Reason - The key was not found when you are using the On-Behalf-Of flow.

Could you please confirm have you set the Application ID URI of API B as api://{client_id}
in Azure Active Directory portal, if not you can set by navigating to App registration and choose your application -> Expose an API and add the Application ID URI which as shown in the below. User's image

And now add the scope for API B such as access_as_user and now grant the permission for API to use the scope. To do navigate to API permissions -> Click Add Permission -> Search with your application ID -> In the Delegated permissions section, ensure that the right permissions are checked which are shown in the below.
User's image

When you request a token from API A you can specify the scope as api://{client_id}/access_as_user and the token will have the correct audience claim for API B. postm

You can also refer to this post where similar issue has been discussed:

https://stackoverflow.com/questions/54008866/on-behalf-of-token-issue-aadsts50013-assertion-contains-an-invalid-signature

https://learn.microsoft.com/en-us/answers/questions/1018163/teams-bot-auth-ms-graph-in-java#answer-1019000

https://learn.microsoft.com/en-us/answers/questions/899134/key-was-found-but-use-of-the-key-to-verify-the-sig

I hope this information helps! please Feel free to ask any questions you may have.

Thanks,

Akhilesh.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Riley Bolen 20 Reputation points

2024-02-13T15:35:40.6466667+00:00

Hi Akhilesh, Yes, I have configured the Application ID URI of API B, I have added a scope called user_impersonation, I have added API A as an authorized client with access to this scope, and I have added this scope under the API Permissions of API A. I pass this scope in my request to oauth2/v2.0/token in the same way you have done, and I have the rest of my parameters set up in the same way. I will show a screenshot below. I have tried using the client_id and client_secret for API B in this request, and I have also tried using the client_id and client_secret for API B, and both give the same error.

I took the access_token that I pass to the assertion parameter in these requests, and I parsed it using the Microsoft JWT decoder, and the aud value is equal to the Client ID of API B. I will take a look at the other posts you have linked and I will let you know if I am able to solve the issue with them.
Riley Bolen 20 Reputation points

2024-02-13T20:53:21.2266667+00:00

I have managed to get it working now. Thanks for the help! For others reading this, the problem was that I was using the scope from API B in the initial call to /oauth2/v2.0/authorize in the authorization grant flow. I now created a user_impersonation scope on the client API A, passed this in the scope value for /oauth2/v2.0/authorize and then called oauth2/v2.0/token using the client_id and client_secret for API A. Then in the oauth2/v2.0/token request for Token B (the OBO request) I again used the client_id and client_secret for the client API A, but I passed the scope for the end resource, a Snowflake API in my case.

Share via

Microsoft Entra On-Behalf-Of giving error AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.

0 additional answers

Your answer