Share via

B2C - Access Token validating fails with JWTSecurityTokenHandler - Signature invalid

Anonymous
2022-06-07T10:54:03.88+00:00

I am trying to validate my access token generated by my app registered on B2C, but getting an "Invalid signature" error when try to validate the token using a custom library.

I followed the instructions given in the answer session of the following thread

https://learn.microsoft.com/en-us/answers/questions/422202/access-token-validating-fails-with-jwtsecuritytoke.html

I could validate the token signature successfully when validating using a console application. When I add the same code and parameters into the custom library, the token signature is
not getting validated. What could be the issue?

My source code is in the following repository

https://github.com/suresh-babu-s/Auth.API.git

I use the following code to validate the signature.

//source code - start

private bool ValidateCurrentToken(string token, string modulus, string exponent, string issuer, string audience)
{
bool isSuccess = false; 

        try  
        {  
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();  
            rsa.ImportParameters(  
              new RSAParameters()  
              {  
                  Modulus = FromBase64Url(modulus),  
                  Exponent = FromBase64Url(exponent)  
              });  

            var validationParameters = new TokenValidationParameters  
            {  
                RequireExpirationTime = true,  
                RequireSignedTokens = true,  
                ValidateAudience = true,  
                ValidateIssuer = true,  
                ValidateLifetime = true,  
                ValidIssuer = issuer,  
                ValidAudience = audience,  
                IssuerSigningKey = new RsaSecurityKey(rsa)  
            };  

            SecurityToken validatedSecurityToken = null;  
            var handler = new JwtSecurityTokenHandler();  
            var claimPrincipal = handler.ValidateToken(token, validationParameters, out validatedSecurityToken);  
            //JwtSecurityToken validatedJwt = validatedSecurityToken as JwtSecurityToken;  
            isSuccess = claimPrincipal.Identity.IsAuthenticated;  
        }  
        catch (Exception ex)  
        {  
            //log exception  

            isSuccess = false;  
        }  
        return isSuccess;  
    }

//source code - end

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator
    2022-06-10T05:14:32.48+00:00

    Hello @Anonymous , please ensure modulus and exponent values are obtained from the OpenID Connect metadata endpoint. Also, I noticed you're using an outdated version of System.IdentityModel.Tokens.Jwt. Update to the latest and ensure Microsoft.IdentityModel.* packages are added to the lib project.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.