AADSTS700027: Client assertion failed signature validation

Question

Hi,

I'm following the steps mentioned in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate and https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials to perform client certificate validation but I'm getting below error
{
"error": "invalid_client",
"error_description": "AADSTS700027: Key was found, but use of the key to verify the signature failed. [Reason - Key was found, but use of the key to verify the signature failed., Thumbprint of key used by client: 'xxxx', Found key 'Start=06/08/2022 08:43:19, End=06/08/2023 09:03:19', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxx'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/xxxx'].\r\nTrace ID: xxxx\r\nCorrelation ID: xxxx\r\nTimestamp: 2022-06-08 17:39:02Z",
"error_codes": [
700027
],
"timestamp": "2022-06-08 17:39:02Z",
"trace_id": "xxxx",
"correlation_id": "xxxx",
"error_uri": "https://login.microsoftonline.com/error?code=700027"
}

CURL of request
curl --location --request POST 'https://login.microsoftonline.com/xxxx/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_id=xxxx' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=xxxx' \
--data-urlencode 'grant_type=client_credentials'

Can someone please help with this?

Answer 1

Hi @captain_atharv

As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.

Check the format of your JWT token at jwt.io.

Header

{  
  "alg": "RS256",  
  "typ": "JWT",  
  "x5t": "<Base64 Thumbprint>"  
}  

Payload

{  
  "iss": "<clientid>",  
  "sub": "<clientid>",  
  "exp": 1570838377 (expiration time),  
  "jti": "<random unique identifier>",  
  "aud": "https://<token-endpoint>"  
}  

Drop your private key in to the bottom verify-er which will sign your JWT in the "Encoded" window.

I found some cases for your reference, I hope it can help you: https://community.dynamics.com/crm/f/microsoft-dynamics-crm-forum/320069/authentication-to-dynamics-365-using-azure-apps and https://github.com/AzureAD/passport-azure-ad/issues/453

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

In addition to what @CarlZhao-MSFT said, here are some other things that could cause the "AADSTS700027: Client assertion contains an invalid signature." error. Hope this helps.

Cause:

This is generally caused when the wrong private key is used to sign the client assertion, or when the wrong Public Key Thumbprint is sent to Azure AD.

Scenario #1: Make sure you are using the correct Private Key.

To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key.

Pre-requisite: openssl downloaded https://www.openssl.org/source/

Run the following command to view the modulus of the certificate.

openssl x509 -noout -modulus -in server.crt | openssl md5
Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96

Run the following command to view the modulus of the private key.

openssl rsa -noout -modulus -in myserver.key | openssl md5
Now you should get the modulus as same as certificate modulus above. i.e a77c7953ea5283056a0c9ad75b274b96

If the modulus of the certificate and the modulus of the private key do not match, then you're not using the right private key. You can either create a brand new key and CSR and send contact support or do a search for all private keys on the system and compare their modulus.

Scenario #2: Wrong Public Key provided in Client Assertion request

When the Client Assertion is generated, the Public Key to be used is identified in the "kid" or "x5t" claim.

Make sure these claims are updated correctly.

For more information, see the following articles for proper client assertion generation:

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-client-assertions

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

view the Certificate and use Fingerprint SHA1.

Answer 4

@Akram Bazina can you provide an example on how to use use Fingerprint SHA1?

Answer 5

I got same error when I tried to access token with valid private key with valid client id that is existing in Azure AD . Both private key (and certificate) and client id were valid under same Tenant but required Certificate was not uploaded for mentioned Client Id. Only the wrong combination of client Id and private key in same Tenant was used.