This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 4%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Hi,
As per the below docs :
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
A validation of a id__token should be same as validating an access_token. Which means that an id_token should be signed. But , when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature.
Please explain the ambiguity between the docs and actual functionality..
One more reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens ... which says "To validate an id_token or an access_token, your app should validate both the token's signature and the claims"
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 24%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
It looks like that I have gotten the same issue:
I have set up a new b2c tenant and using the https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started I have set up the Identity Experience Framework.
Everything woks fine (sign in sign up) but when b2c issues the token the signature is not valid.
I may be mistaken but looks like something is missing in the setting up using the App registrations (Preview) I have another tenant that I have set up with the Legacy App Registration that is working fine. Legacy app registration is not available anymore that should be removed from the documentation.
Please advise.
@Harjani, Ashish This is because jwt.io is not able to fetch the public key and and is unable to validate the signature. Please refer to the screenshot below which is captured with a token issued via standard AAD and not IEF. There is a slight difference in how the public key is fetched in case of token issued via IEF, which might be the reason why you don't see public key on jwt.io for token issued via IEF. You can read more about signature validation in B2C here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#validate-signature
-----------------------------------------------------------------------------------------------------------
Please Accept as answer wherever the information provided helps you to help others in the community.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 96%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
The problem with this article is that it does not detail what you need to do to validate the signature, and instead sends the user in search of an article that describes what you need to do.
Even worse, some jwks_uri payloads for Azure B2C do not have a readily available x5c value, and only have an e and n value. I've read somewhere that a PEM certificate can be reverse engineered from these values.
It would be great if the section describing validation of a signature for Azure B2C followed through with some recommendations on how that is actually done, or recommended at least one article.
@Harjani, Ashish I disagree with you on this statement "when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature."
Below is a snip of the id_token issued by IEF which is signed. If you decode the token at https://jwt.ms, you will find that the green text is the signature and the "alg": "RS256" is the id_token signing algorithm. Which would match with the value of id_token_signing_alg_values_supported parameter in your OIDC metadata located here:
https://login.microsoftonline.com/{your_b2c_tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.
@amanpreetsingh-msft - Thanks for getting back on this. Can you please take that token generated by IEF and decode it at https://jwt.io/ . You would notice at the end of page :
Similarly if you take any access token and decode it at the same website and it would tell that Signature Is valid. Can you please explain this ?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 33%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Hi Amanpreet,
I hope you are doing well and safe !!
Can you please help me with Jwt's signature Kid value is not matched error and how I can validate Kid?
I am using jwks_uri for keys? I am not an expert so If you can explain step by step complete chronology to try?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 27%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Did you ever fix this? I have the same issue when trying to use of the policies from a B2C application. (Work fine from an IEF application)