Microsoft Entra On-Behalf-Of giving error AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.

Question

I am trying to implement the On-Behalf-Of flow so that I can make requests from a PHP web API to load data from a Snowflake database. I have been stuck on this error message for days now, and I am running out of things to try. I will include as much detail as I can here, so please bear with me. I have 2 APIs registered in Entra; a client API and an API that lets a user connect to a Snowflake database. I will follow the OBO documentation and call the client one API A, and the data one API B.

In API B, I configured a scope access_as_user and authorized the client for this scope.

Under Token Configuration for API B I added Optional Claims for acct, acrs, aud, and upn. I also created a new Client Secret under Certificates and Secrets for API B. Then, for the client API A, I added the previously created scope from API B to the API Permissions:

I also created a new Client Secret for API A. I am able to complete the authorization code grant flow as shown in the docs here by calling /authorize in a web browser, logging in with my Microsoft credentials, taking the code from the response, and redeeming it for an access token by calling /token in Postman, like so:

which gives me a successful response:

I believe that this access_token is what the OBO docs refer to as "Token A". I then take this token, and make a request to the /token endpoint for API B, like so:

Which gives me the error response:

I have been stuck on this error for days now, and nothing that I have done seems to fix it. I should mention, that I was able to successfully authenticate directly with API B usnig the authorization code grant flow, and load the data from my Snowflake API in this way, so it seems that this API is properly configured, but now I need to get the OBO flow working. Please help me!

Answer 1

Hi @Riley Bolen

Thank you for post!

For your query, I understand that you are getting error AADSTS50013: Assertion failed signature validation. [Reason - The key was not found when you are using the On-Behalf-Of flow.

Could you please confirm have you set the Application ID URI of API B as api://{client_id}
in Azure Active Directory portal, if not you can set by navigating to App registration and choose your application -> Expose an API and add the Application ID URI which as shown in the below.

And now add the scope for API B such as access_as_user and now grant the permission for API to use the scope. To do navigate to API permissions -> Click Add Permission -> Search with your application ID -> In the Delegated permissions section, ensure that the right permissions are checked which are shown in the below.

When you request a token from API A you can specify the scope as api://{client_id}/access_as_user and the token will have the correct audience claim for API B.

You can also refer to this post where similar issue has been discussed:

https://stackoverflow.com/questions/54008866/on-behalf-of-token-issue-aadsts50013-assertion-contains-an-invalid-signature

https://learn.microsoft.com/en-us/answers/questions/1018163/teams-bot-auth-ms-graph-in-java#answer-1019000

https://learn.microsoft.com/en-us/answers/questions/899134/key-was-found-but-use-of-the-key-to-verify-the-sig

I hope this information helps! please Feel free to ask any questions you may have.

Thanks,

Akhilesh.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Answer 2

I have also some issues:

Scenario

I am implementing On‑Behalf‑Of (OBO) flow with Microsoft identity platform to access Microsoft Graph.

User identity source: AWS ALB OIDC (not Azure AD).

ALB‑issued ID tokens are not supported as user assertions for OBO.

Therefore, I generate a synthetic user assertion JWT to represent the user.

---

OBO request

I call:

POST https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

client_id=<client_id>

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer

client_assertion=<signed JWT with uploaded cert>

requested_token_use=on_behalf_of

assertion=<synthetic user assertion JWT>

scope=https://graph.microsoft.com/.default

Client assertion:

Signed with my uploaded certificate

aud = token endpoint

Local verification ✅

User assertion:

Synthetic JWT because ALB token is not AAD‑issued

  Tried multiple formats:
  
        Signed JWT (`aud` = my API URI)
        
              Signed JWT (`aud` = token endpoint)
              
                    Unsigned JWT (alg=none)
                    
                          Opaque string / raw ALB token
                          
                             Local verification ✅
                             

---

What I observe

• Every OBO request fails with:
  • Client assertion:
    • Signed with my uploaded certificate
    • aud = token endpoint
    • Local verification ✅
  • User assertion:
    • Synthetic JWT because ALB token is not AAD‑issued
    • Tried multiple formats:
      1. Signed JWT (aud = my API URI)
      2. Signed JWT (aud = token endpoint)
      3. Unsigned JWT (alg=none)
      4. Opaque string / raw ALB token
    • Local verification ✅
  What I observe Every OBO request fails with:

AADSTS50013: Assertion failed signature validation.

Reason - The key was not found.

Thumbprint of key used by client: <my cert SHA1>

Local signature verification of all signed JWTs works ✅

Certificate is uploaded in App Registration, thumbprint matches, and is active

Using client_assertion only (no client_secret) → still fails

Tried changing user assertion audience and opaque values → still fails

---

What I already tried

Verified local JWT creation and RS256 signing with BouncyCastle

Confirmed iat > certificate startDateTime

Confirmed client_assertion audience = token endpoint

Tested synthetic user assertion in all supported formats

Confirmed cert is visible in keyCredentials and thumbprint matches the log

---

Current status

• Azure AD always returns AADSTS50013: key not found for the thumbprint that is active in the app registration.

Appears that OBO token exchange fails even when client assertion is correct.

This blocks OBO with non‑AAD identities (ALB) using a synthetic JWT user assertion.

Local signature verification of all signed JWTs works ✅

Certificate is uploaded in App Registration, thumbprint matches, and is active

Using client_assertion only (no client_secret) → still fails

Tried changing user assertion audience and opaque values → still fails

---

What I already tried

Verified local JWT creation and RS256 signing with BouncyCastle

Confirmed iat > certificate startDateTime

Confirmed client_assertion audience = token endpoint

Tested synthetic user assertion in all supported formats

Confirmed cert is visible in keyCredentials and thumbprint matches the log

---

Current status

Azure AD always returns AADSTS50013: key not found for the thumbprint that is active in the app registration.

Appears that OBO token exchange fails even when client assertion is correct.

• This blocks OBO with non‑AAD identities (ALB) using a synthetic JWT user assertion.

---

I do not know what else to try.... thanks for help.