Issue with Azure Entra ID External Authentication: Error AADSTS50146

Question

I'm experiencing a paradoxical authentication issue with Azure Entra ID External (formerly B2C) where my application is rejected for both certificate and client secret authentication methods.

Issue Description

When using client secret authentication, I receive:
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid."

When using certificate authentication, I receive:
"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.]"

This creates a contradictory situation where:

• Using client secret: I'm told I must use a certificate
• Using certificate: I'm told the certificate is not registered

Authentication Flow Details

1. I've implemented the standard OAuth 2.0 authorization code flow
2. I'm including the policy parameter in the token endpoint (?p=signup_signin)
3. I've configured both authentication methods correctly in the app registration
4. I've verified all credentials are valid and not expired

Troubleshooting Steps Already Taken

1. Tried both authentication methods
2. Modified app manifest to add/remove certificate configuration
3. Verified client secret is correct and not expired
4. Ensured token URL includes the policy parameter
5. Verified all required redirect URIs are properly registered
6. Checked user flow settings for certificate requirements
7. Ensured proper API permissions are granted
8. Used fresh authorization codes
9. Reviewed related documentation and StackOverflow threads

How can I resolve this contradictory authentication behavior where both certificate and client secret authentication methods are rejected?I'm experiencing a paradoxical authentication issue with Azure Entra ID External (formerly B2C) where my application is rejected for both certificate and client secret authentication methods.

Answer 1

Hello @Ofer Leizerovich
I understand that you are experiencing a paradoxical authentication issue with Azure Entra ID External (formerly B2C) where your application is rejected for both certificate and client secret authentication methods.
The errors you're encountering, AADSTS50146 and AADSTS700027, indicate issues with the configuration of your application in Azure Entra ID External.

To Resolve this AADSTS50146 error Review Security Considerations:
Applications that receive tokens rely on claim values that can't be tampered with. When you modify the token contents through claims customization, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified to protect themselves from customizations created by malicious actors. Protect from inappropriate customizations in one the following ways:

• Configure a custom signing key
• update the application manifest to accept mapped claims.

Without this, Microsoft Entra ID returns an AADSTS50146 error code.

To Resolve this error "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.]"
Cause

This is generally caused when the wrong private key is used to sign the client assertion, or when the wrong Public Key Thumbprint is sent to Azure AD.

Scenario 1: Make sure you are using the correct Private Key.

Troubleshooting

How do I verify that a private key matches a certificate? (OpenSSL) To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key.

Pre-requisite: Install OpenSSL https://slproweb.com/products/Win32OpenSSL.html

Run the following command to view the modulus of the certificate.

openssl x509 -noout -modulus -in server.crt | openssl md5 

Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96

Run the following command to view the modulus of the private key.

openssl rsa -noout -modulus -in myserver.key | openssl md5 

Now you should get the modulus as same as certificate modulus above. i.e. a77c7953ea5283056a0c9ad75b274b96

If the modulus of the certificate and the modulus of the private key do not match, then you're not using the right private key. You can either create a brand-new key.

Scenario 2: Wrong Public Key provided in Client Assertion request

When the Client Assertion is generated, the Public Key to be used is identified in the "kid" or "x5t" claim.

Make sure these claims are updated correctly.

Do let Us know if you have any Queries. we are happy to assist you further.

Answer 2

Hello Ofer Leizerovich,

Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

1. Renew Client Secret: Sign in to the Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Applications > App registrations > select your app > Certificates & secrets > New client secret. Generate a new secret, copy the value (not ID), and update your application with the new secret. Remove the old secret to avoid conflicts.

2. Renew Certificate: In the same Certificates & secrets section, upload a new valid certificate (public key), ensure the private key matches your app’s client assertion, and update the thumbprint. Verify the certificate is active and registered.

This approach should address the expired or mismatched key issue causing the authentication failures. If the problem persists after renewal, please raise a support ticket via Azure Portal > Help + support > New support request with your app’s client ID and error details for further assistance.

---

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Best,