error verifying token using SSO OpenID

Question

We are having some troubles using Microsoft Entra with one of our clients. When it tries to login using a SSO OpenID method it gets an error that it cannot verify id token signature.
In our application, we set the SSO url, secret token and application ID and our customers can login using SSO authentication.
In Microsoft Entra settings, the customer has to set up the callback url, claims and so on to login in our application.

These are some points we have checked with the client:

• Our client told us that they are using multi domain in Microsoft Entra.
• They can login using SSO into other platforms.
• The endpoints used to setup the OpenID SSO configuration are correct.
• The secret and applicationID provided from Microsoft Entra are correct.

It only happens in one client, other clients using Microsoft Entra authentication can login into our platform.

I am thinking if they are using multi domain it cannot retrieve correct the id token, but I don't have any clue about that.

Update 1: We are using https://github.com/coreos/go-oidc library for the control flow

Update 2: Using the library from the Update1 point, we set the endpoints provided from Microsoft from the URL https://login.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration

Update 3: The claims settings are the following:

Answer 1

Hello @vic,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it seems you are encountering an issue with the OpenID SSO method, specifically an error indicating it cannot verify the ID token signature. You've already confirmed that users can access other applications and endpoints configured with OpenID SSO, and you've verified the appID and client secret values.

The error message typically occurs when the generated ID token signature is invalid or does not meet the expected format. To resolve this issue, please decode the token using jwt.io and verify if the generated ID token has a valid signature.

I generated an ID token in my test tenant and decoded it using jwt.io. If the token has a valid signature, it will display "Signature Valid" as shown in the screenshot below:

If the ID token signature is not valid, jwt.io will indicate "Invalid Signature." Please review and confirm this information.

The following JWT claims should be validated in the ID token after validating the signature on the token. Your token validation library may also validate the following claims:

• Timestamps: the iat, nbf, and exp timestamps should all fall before or after the current time, as appropriate.
• Audience: the aud claim should match the app ID for your application.
• Nonce: the nonce claim in the payload must match the nonce parameter passed into the /authorize endpoint during the initial request.

Please refer the below documents for reference.

https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens

https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc

If the information provided did not resolve your issue, please share a screenshot of the error message for further assistance.

Regarding your query about multi-domain usage in Microsoft Entrata: does this mean that users attempting to access the application come from different tenants? Or are multi-domain users also members within the same home directory? Could you please provide clarification on this?

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.