This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 49%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
We are working on an application that uses the LTI 1.3 specifications, which sits on top of the OpenId Connect 1.0 specification. The open id connect specs allow for initiating login from a 3rd party. https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin.
Our use case is we don’t want a login screen to appear. We do not have any SelfAsserted technical profiles. We've done an OpenId Connect flow using the Identity Experience Framework (custom policies) up to the point where the 3rd party issues an id_token and it’s posted to the Azure B2C url https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
We have found out that the Azure B2C is not using the jwks_uri endpoint found in the .well-known/openid-configuration metadata endpoint that we specified in the TechnicalProfile.
The error that we are receiving is:
AADB2C90239: The provided token failed signature validation. Please provide another token and try again.
When I copy the id_token and use the jwks_uri endpoint from the 3rd party well-known endpoint that we specified in the TechnicalProfile to validate the token, it is a valid token.
What is Azure B2C using to validate the signature of the id_token posted to https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
The applications require some attributes to be checked which will be prepopulated for the user during sign up. You may need to try setting up the IDP again to be sure that the IDP was correctly configured. In the past I've been able to resolve this by checking some of the attributes that had been configured to return claims to the application to consume.
If you're still stuck on this you can feel free to send me an email at AzCommunity@microsoft.com and I can open a support case to get this looked into. It may be easier to troubleshoot this if there is more visibility into your full setup.