Is it known when/if Azure AD B2C will support PS512 (RSASSA-PSS) signatures of tokens from identity providers?

Vit Mistina 1 Reputation point

Hello there, I've set up a flow and later a matching custom policy with an OIDC identity provider. It is a "bank identity" on the Czech market and I'd like to use this service for "social" sign-up and sign-in.

The issue is they are really serious about security and sign their JWTs with PS512 (RSASSA-PSS) algorithm.

AD B2C fails during signature validation with these errors found in App Insights:
IDX10618: AsymmetricSecurityKey.GetHashAlgorithmForSignature( 'PS512' ) threw an exception.

The algorithm PS512 is not supported for operation GetHashAlgorithmForSignature.

Do you know if there is some public roadmap/backlog? I want to have an idea whether support for this algo is coming in some foreseeable future...

Thank you,
Vit Mistina

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,703 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points

    Hi @Vit Mistina • Thank you for reaching out.

    If you check the metadata endpoint for your User Flow or for the B2C tenant, the supported token signing algorithm is RS256.

    I checked with the B2C product team, there are no plans on adding PS512 (RSASSA-PSS) algorithm as of now.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments