Share via

using AppModelv2_WebApp_OpenIDConnect_DotNet give me error saying TOKEN does not have KID

Shah, Samip 0 Reputation points
2025-03-12T19:23:53.43+00:00

I started using
https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet

for signing in using Microsoft Azure. All redirect URIs are good and app on Azure side is configured properly but when i try to access the signin it gives me wierd error.

Server Error in '/test' Application.

IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'imi0Y2z0dYKxBttAqK_Tt5hYBTk', InternalId: 'imi0Y2z0dYKxBttAqK_Tt5hYBTk'. , KeyId: imi0Y2z0dYKxBttAqK_Tt5hYBTk Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: 'imi0Y2z0dYKxBttAqK_Tt5hYBTk', InternalId: 'THwdc9QL20JtJrBQsxdxjKs4XE2YUBdWEm1DveRIK2c'. , KeyId: imi0Y2z0dYKxBttAqK_Tt5hYBTk Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId:

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-03-19T10:13:16.2933333+00:00

    Hello @Shah, Samip,

    Thank you for posting your query on Microsoft Q&A.

    Based on the query, I understand the token does not consist of key ID which failed token validation.

    There are two different scenario's which might cause the issue:

    Scenario 1: Microsoft Graph access token

    If the "aud" claim is one of the following: https://graph.microsoft.com or 00000003-0000-0000-c000-000000000000 then you will see this validation error.
    Note: Starting January 15, 2025, audience claim "aud" in access tokens for Microsoft Graph will change from a URI format (e.g., https://graph.microsoft.com ) to an AppID GUID format. This SFI change aims to enhance security by making it harder to spoof audience claims. Customer applications/APIs should not validate these tokens. This is an anti-pattern and can cause application failure if actions are taken based on token properties not intended for them. There is no ability to exclude tenants from this behavior.

    In order to retrieve the token without any issue, you need to retrieve the token for your application not to Microsoft Graph. This can be done by configuring an application as API and it to the current application from API permissions --> API's in my organization for use. This removes the Microsoft graph as resource API which changes the aud from Microsoft graph to your application.

    Here is how you can make a registered application as web API and add it to the primary application as API: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-expose-web-apis

    Scenario 2: Your Issuer/Authority configuration may be mis-configured and pulling the wrong keys

    If you want to validate an access token issued by Azure AD (not Azure B2C) where the issuing tenant looks like this:

    "iss": "https://login.microsoftonline.com/aa00d1fa-####-####-####-############/v2.0"

    "iss": "https://sts.windows.net/aa00d1fa-####-####-####-############/"

    Make sure your Issuer/Authority is configured accordingly to the following

    https://login.microsoftonline.com/aa00d1fa-####-####-####-############/

    https://login.microsoftonline.com/aa00d1fa-####-####-####-############/v2.0/

    In order to find the keys of your tenant, please open this link: https://login.microsoftonline.com/aa00d1fa-####-####-####-############/discovery/v2.0/keys

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.