Share via

Entra ID - OIDC BFF pattern - does not work

Robert Desbiens 40 Reputation points
2024-05-28T19:05:49.29+00:00

Hi,

I have a blazor hybrid app with both webassembly and server.

Currently I'm using the oidc flow with b2c (https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-8.0&pivots=with-bff-pattern) and it is working fine. I've spent a few days trying to migrate it to Entra External ID but for some reason, I'm having a few issues.

I'm getting the following error when I add the scope of the backend API (it is working find without the scope):
OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.

I have a valid Client secret configured within my application, I'm not sure what this signing key refers to.

Developer technologies | .NET | Blazor
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-05-28T22:00:38.1033333+00:00

    Hi @Robert Desbiens ,

    This error typically occurs due to issues with the claims mapping or expired policies. When users modify the token contents through claims-mapping policies, the application must know that tokens have been modified by the users rather than attacker so acceptMappedClaims needs to be set to "true" in the application manifest. If thesignInAudience is AzureADandPersonalMicrosoftAccount, the value of accessTokenAcceptedVersion must be 2 and acceptMappedClaims should be "true" for single-tenant apps.

    "acceptMappedClaims": true, "accessTokenAcceptedVersion": 2,

    This is documented here: https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute

    Also, make sure that you can authorize the JWT token (AddAuthentication().AddJwtBearer in ConfigureServices).

    https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.jwtbearerappbuilderextensions.usejwtbearerauthentication?view=aspnetcore-2.2

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.