B2C - Access Token validating fails with JWTSecurityTokenHandler - Signature invalid

asked 2022-06-07T10:54:03.88+00:00
Suresh Babu 1 Reputation point

I am trying to validate my access token generated by my app registered on B2C, but getting an "Invalid signature" error when try to validate the token using a custom library.

I followed the instructions given in the answer session of the following thread


I could validate the token signature successfully when validating using a console application. When I add the same code and parameters into the custom library, the token signature is
not getting validated. What could be the issue?

My source code is in the following repository


I use the following code to validate the signature.

//source code - start

private bool ValidateCurrentToken(string token, string modulus, string exponent, string issuer, string audience)
bool isSuccess = false;

            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();  
              new RSAParameters()  
                  Modulus = FromBase64Url(modulus),  
                  Exponent = FromBase64Url(exponent)  

            var validationParameters = new TokenValidationParameters  
                RequireExpirationTime = true,  
                RequireSignedTokens = true,  
                ValidateAudience = true,  
                ValidateIssuer = true,  
                ValidateLifetime = true,  
                ValidIssuer = issuer,  
                ValidAudience = audience,  
                IssuerSigningKey = new RsaSecurityKey(rsa)  

            SecurityToken validatedSecurityToken = null;  
            var handler = new JwtSecurityTokenHandler();  
            var claimPrincipal = handler.ValidateToken(token, validationParameters, out validatedSecurityToken);  
            //JwtSecurityToken validatedJwt = validatedSecurityToken as JwtSecurityToken;  
            isSuccess = claimPrincipal.Identity.IsAuthenticated;  
        catch (Exception ex)  
            //log exception  

            isSuccess = false;  
        return isSuccess;  

//source code - end

Azure Active Directory External Identities
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
659 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-10T05:14:32.48+00:00
    Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

    Hello @Suresh Babu , please ensure modulus and exponent values are obtained from the OpenID Connect metadata endpoint. Also, I noticed you're using an outdated version of System.IdentityModel.Tokens.Jwt. Update to the latest and ensure Microsoft.IdentityModel.* packages are added to the lib project.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.