Share via

Access Token validating fails with JWTSecurityTokenHandler - Signature invalid

Harald Thönig 131 Reputation points
2021-06-04T08:00:02.747+00:00

I try to validate an access token, which I get from Azure. I created the token the following way: 1. I did an Azure AD App Registration for our application. 2. Created a Search Bot and added the app registration to the bot. 3. I tested the connection in the bot successfull an got an Access Token ![102398-createaccesstoken.png][1] In our c# application we try to validate the Token with JWTSecurityTokenHandler, but die signature is invalid: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException HResult=0x80131500 Message=IDX10511: Signature validation failed. Keys tried: 'System.Text.StringBuilder'. kid: 'System.String'. Exceptions caught: 'System.Text.StringBuilder'. token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'. Source=TokenTestApp StackTrace: at TokenTestApp.Program.ValidateTokenInternal(String token, String issuer, String validAudience, String wellKnownUrl, CancellationToken ct) in C:\Users\ttt\Source\Repos\TokenTestApp\TokenTestApp\Program.cs:line 109 at TokenTestApp.Program.Main(String[] args) in C:\Users\ttt\Source\Repos\TokenTestApp\TokenTestApp\Program.cs:line 23 The only way around this was to deactivate the signature validation by using the SignatureValidator delegate in the TokenValidationParameters class – which is obviously a bad idee. Is there a way to validate these tokens with the JWTSecurityTokenHandler? Thanks for your help! [1]: /api/attachments/102398-createaccesstoken.png?platform=QnA

Azure AI Bot Service
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
910 questions
Accepted answer
  1. Harald Thönig 131 Reputation points
    2021-06-23T07:02:12.463+00:00

    Hi
    I got a solution from microsoft. Following problem in my app registration:
    I defined a scope from Graph API: User.Read User.ReadBasic.All Mail.Read
    If a scope will be set from Graph API, the token can just be validated from Graph!
    You can see that in jwt.io. If the aud is like "00000003-0000-0000-c000-000000000000" the token is from Graph.
    What I had to do to solve the problem:

    1. To protect our own custom API, I had to register an application to represent it on Azure AD and obtain an access_token/id_token for it. As I did it already bevor.
    2. Section - Expose an API: Create a new scope: name = access_as_user
    3. Section - API permissions: Add a new permission for my registered application and my scope access_as_user
    4. Section - Manifest: Change entry "accessTokenAcceptedVersion" from null to 2
    5. Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfull validated.

    That's it. Hope it helps all other who are searching a solution for a problem like that.

    Best regards
    Harald

    7 people found this answer helpful.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Evgeny Volkov 1 Reputation point
    2021-07-04T13:41:21.427+00:00

    Just FYI.

    Found a different way to validate the token.
    private async static Task<string> Validate3()
    {
    var httpClient = new System.Net.Http.HttpClient();
    System.Net.Http.HttpResponseMessage response;
    try
    {
    var token = "";
    var request = new System.Net.Http.HttpRequestMessage(System.Net.Http.HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
    //Add the token in Authorization header
    request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
    response = await httpClient.SendAsync(request);
    var content = await response.Content.ReadAsStringAsync();
    return content;
    }
    catch (Exception ex)
    {
    return ex.ToString();
    }
    }

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.