50013-Key Not Found Issue in OBO Flow ;{'error': 'invalid_grant', 'error_description': "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
Fuad Goloba
20
Reputation points
I am encountering an issue where the key ID (kid) used for token signing is not found during the On-Behalf-Of (OBO) flow validation. Here are the details of the problem:
Context:
- I have an API service with a Microsoft Entra app registration where an SPA sends token to the service for authentication
- The tokens are issued by Entra. And the API service acts a middle-tier service to call a downstream Microsoft Graph API. MSAL's acquire_token_on_behalf_of method is used to exchange the middle-tier access token for the graph api access token
- It is noticed during token validation that the token received by the API service has a
kidthat matches one of the keys only when the OpenID configuration is fetched with theappidquery parameter ("{AUTHORITY}/.well-known/openid-configuration?appid={CLIENT_ID}").
Problem:
- When the OpenID configuration is fetched using the standard endpoint (
.well-known/openid-configuration), thekidin the token is not found in the JWKS keys. - Only by including the
appidquery parameter in the OpenID configuration URL (e.g.,.well-known/openid-configuration?appid={client-id}) am I able to retrieve the JWKS keys that contain the matchingkid. - However, during the OBO flow, there is no way to specify which OpenID configuration endpoint to use, leading to the failure with the following error: {'error': 'invalid_grant', 'error_description': "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.] ..."}
Specifics:
- SPA and API services are both registered in Azure AD.
- The issue is consistent and reproducible - the token's
kidis validated against the JWKS keys only when theappidparameter is included, but OBO flow fails without being able to use a custom endpoint for validation.
Questions:
- How can I ensure that the OBO flow uses the correct JWKS keys, given that the standard endpoint does not provide the needed
kid? - Is there a way to specify a custom OpenID configuration endpoint or JWKS URI for the OBO flow to prevent this issue?
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,786 Reputation points Microsoft Employee Moderator2024-09-24T09:17:43.1633333+00:00 @Fuad Goloba Apologies for the delayed response, just wanted to check are you still looking for help on the above-mentioned issue?
Sign in to comment
Sign in to answer