"AADSTS500123: Signed OIDC request failed signature validation [Reason - The key was not found."
Hi, our team is using tokenCreator.CreateHttpAuthenticatorAsync to create PoP header. It works well but till recently it has the error shown in below.
Test method RestService.FuncTests.AuthenticationTests.MSAuthAtPopAuth_InvalidActorApplication_UnauthorizedException threw exception:
Microsoft.IdentityModel.S2S.Tokens.GetTokenException: S2S33102: Failed to get POP token from tokenEndpoint: 'https://login.windows-ppe.net/49bfa636-63ba-48c5-864b-5cab85065d55/oauth2/token', clientId: 'b33ecb4f-0778-4de3-9025-14071377faea', resource: 'https://hostedrms.com', activityId: 'c939d18b-2ccd-4f87-bd67-92b3a4109319'.
HttpResponseMessage: 'StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
client-request-id: c939d18b-2ccd-4f87-bd67-92b3a4109319
x-ms-request-id: 10bae664-6cc9-4830-9d17-2be3e3370200
x-ms-ests-server: 2.1.18003.0 - CHY PPE
x-ms-clitelem: 1,500123,0,,
x-ms-httpver: 1.1
X-XSS-Protection: 0
Cache-Control: no-store, no-cache
Date: Thu, 18 Apr 2024 18:45:59 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=ApnYuK87trRLkCddFj7FIl5y51oTAQAAAGdhs90OAAAA; expires=Sat, 18-May-2024 18:46:00 GMT; path=/; secure; HttpOnly; SameSite=None
Content-Length: 934
Content-Type: application/json; charset=utf-8
Expires: -1
}',
HttpResponseMessage.Content: '{"error":"invalid_client","error_description":"AADSTS500123: Signed OIDC request failed signature validation [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '00000000-0000-0000-0000-000000000000'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft-ppe.com/beta/applications/00000000-0000-0000-0000-000000000000']. Trace ID: 10bae664-6cc9-4830-9d17-2be3e3370200 Correlation ID: c939d18b-2ccd-4f87-bd67-92b3a4109319 Timestamp: 2024-04-18 18:46:00Z","error_codes":[500123],"timestamp":"2024-04-18 18:46:00Z","trace_id":"10bae664-6cc9-4830-9d17-2be3e3370200","correlation_id":"c939d18b-2ccd-4f87-bd67-92b3a4109319"}'. ---> Microsoft.IdentityModel.S2S.Tokens.IdentityProviderException: S2S33109: Identity provider returns an error: 'invalid_client', errorCodes: 'System.Collections.Generic.List`1[System.Object]', errorMessage: 'AADSTS500123: Signed OIDC request failed signature validation [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '00000000-0000-0000-0000-000000000000'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft-ppe.com/beta/applications/00000000-0000-0000-0000-000000000000']. Trace ID: 10bae664-6cc9-4830-9d17-2be3e3370200 Correlation ID: c939d18b-2ccd-4f87-bd67-92b3a4109319 Timestamp: 2024-04-18 18:46:00Z', errorUri: 'null', rawErrorString: '{"error":"invalid_client","error_description":"AADSTS500123: Signed OIDC request failed signature validation [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '00000000-0000-0000-0000-000000000000'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft-ppe.com/beta/applications/00000000-0000-0000-0000-000000000000']. Trace ID: 10bae664-6cc9-4830-9d17-2be3e3370200 Correlation ID: c939d18b-2ccd-4f87-bd67-92b3a4109319 Timestamp: 2024-04-18 18:46:00Z","error_codes":[500123],"timestamp":"2024-04-18 18:46:00Z","trace_id":"10bae664-6cc9-4830-9d17-2be3e3370200","correlation_id":"c939d18b-2ccd-4f87-bd67-92b3a4109319"}'.
I don't really understand the issue, but roughly it's like key for appId '00000000-0000-0000-0000-000000000000' is not found and it can't verify the signature. But the question is that we didn't pass in this appId, since it's an Empty Guid. So, I don't understand that the error states Graph can't find public key for this empty Guid, the related corrleationId is provided in the error messge. Can you help me identify what's the root cause. Since this error just pop out recently, I assume maybe this is because some changes happened on Graph side and our team didn't sync with that.