50013-Key Not Found Issue in OBO Flow ;{'error': 'invalid_grant', 'error_description': "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.,

Fuad Goloba 20 Reputation points
2024-09-11T17:12:28.6933333+00:00

I am encountering an issue where the key ID (kid) used for token signing is not found during the On-Behalf-Of (OBO) flow validation. Here are the details of the problem:

Context:

  • I have an API service with a Microsoft Entra app registration where an SPA sends token to the service for authentication
  • The tokens are issued by Entra. And the API service acts a middle-tier service to call a downstream Microsoft Graph API. MSAL's acquire_token_on_behalf_of method is used to exchange the middle-tier access token for the graph api access token
  • It is noticed during token validation that the token received by the API service has a kid that matches one of the keys only when the OpenID configuration is fetched with the appid query parameter ("{AUTHORITY}/.well-known/openid-configuration?appid={CLIENT_ID}").

Problem:

  • When the OpenID configuration is fetched using the standard endpoint (.well-known/openid-configuration), the kid in the token is not found in the JWKS keys.
  • Only by including the appid query parameter in the OpenID configuration URL (e.g., .well-known/openid-configuration?appid={client-id}) am I able to retrieve the JWKS keys that contain the matching kid.
  • However, during the OBO flow, there is no way to specify which OpenID configuration endpoint to use, leading to the failure with the following error: {'error': 'invalid_grant', 'error_description': "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.] ..."}

Specifics:

  • SPA and API services are both registered in Azure AD.
  • The issue is consistent and reproducible - the token's kid is validated against the JWKS keys only when the appid parameter is included, but OBO flow fails without being able to use a custom endpoint for validation.

Questions:

  • How can I ensure that the OBO flow uses the correct JWKS keys, given that the standard endpoint does not provide the needed kid?
  • Is there a way to specify a custom OpenID configuration endpoint or JWKS URI for the OBO flow to prevent this issue?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,027 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,540 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,783 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.