This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 22%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi,
I'm following the steps mentioned in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate and https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials to perform client certificate validation but I'm getting below error
{
"error": "invalid_client",
"error_description": "AADSTS700027: Key was found, but use of the key to verify the signature failed. [Reason - Key was found, but use of the key to verify the signature failed., Thumbprint of key used by client: 'xxxx', Found key 'Start=06/08/2022 08:43:19, End=06/08/2023 09:03:19', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxx'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/xxxx'].\r\nTrace ID: xxxx\r\nCorrelation ID: xxxx\r\nTimestamp: 2022-06-08 17:39:02Z",
"error_codes": [
700027
],
"timestamp": "2022-06-08 17:39:02Z",
"trace_id": "xxxx",
"correlation_id": "xxxx",
"error_uri": "https://login.microsoftonline.com/error?code=700027"
}
CURL of request
curl --location --request POST 'https://login.microsoftonline.com/xxxx/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_id=xxxx' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=xxxx' \
--data-urlencode 'grant_type=client_credentials'
Can someone please help with this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 46%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIM%3C/text%3E%3C/svg%3E)
I had the same issue and I fixed it by adding "trustedCertificateSubjects" to the "App registration" Manifest.
"trustedCertificateSubjects": [
{
"authorityId": "00000000-0000-0000-0000-000000000001",
"subjectName": "XXX.XXXXXXXXXXX.aad.XXXXXX.XX"
}
]
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 8%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
Where do you get the values for "authorityId" and "subjectName" ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 4%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
@Idan Mor Where can these values be found?