Share via

Is it known when/if Azure AD B2C will support PS512 (RSASSA-PSS) signatures of tokens from identity providers?

Vit Mistina 1 Reputation point
2021-08-27T15:00:33.17+00:00

Hello there, I've set up a flow and later a matching custom policy with an OIDC identity provider. It is a "bank identity" on the Czech market and I'd like to use this service for "social" sign-up and sign-in.

The issue is they are really serious about security and sign their JWTs with PS512 (RSASSA-PSS) algorithm.

AD B2C fails during signature validation with these errors found in App Insights:
IDX10618: AsymmetricSecurityKey.GetHashAlgorithmForSignature( 'PS512' ) threw an exception.

The algorithm PS512 is not supported for operation GetHashAlgorithmForSignature.

Do you know if there is some public roadmap/backlog? I want to have an idea whether support for this algo is coming in some foreseeable future...

Thank you,
Vit Mistina

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,876 Reputation points Moderator
    2021-09-01T16:47:30.407+00:00

    Hi @Vit Mistina • Thank you for reaching out.

    If you check the metadata endpoint for your User Flow or for the B2C tenant, the supported token signing algorithm is RS256.

    I checked with the B2C product team, there are no plans on adding PS512 (RSASSA-PSS) algorithm as of now.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.