mrivasa
commented
8 months ago I found a post on techcommunity.microsoft.com that shed light and helped me to resolve this issue.
ID token issued by AAD does not match public sign key
Basically, just add "?appid={your-app-guid}" to the well know openid configuration link used for metadata address. This is needed when custom claim mappings are configured in your application.
Example:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(opt => { builder.Configuration.Bind("AzureAd", opt); opt.MetadataAdrress = $"{opt.Instance}/{opt.TenantId}/v2.0/.well-known/openid-configuration?appid={opt.ClientId}"; });
Hope this helps somebody.
Microsoft.Identity.Web version
2.16
Web app sign-in
1-WebApp-OIDC/1-1-MyOrg
Web API (call Graph or downstream APIs)
Not applicable
Deploy to Azure
Not applicable
Auth Z
Not applicable
Description
Running the application after creating it following the instructions from the readme file I get the follwing error:
SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed ...
Reproduction steps
dotnet new mvc --auth SingleOrg --client-id <Enter_the_Application_Id_here> --tenant-id <yourTenantId> --domain <domainName.onmicrosoft.com>Error message
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '0'. Number of keys in Configuration: '6'. Exceptions caught: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details. at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() --- End of inner exception stack trace --- at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
Id Web logs
'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10264: Reading issuer signing keys from validation parameters and configuration. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10265: Reading issuer signing keys from configuration. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10243: Reading issuer signing keys from validation parameters. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10243: Reading issuer signing keys from validation parameters. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10265: Reading issuer signing keys from configuration. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'. Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: 'XXXXXXXXX' Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Error: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '0'. Number of keys in Configuration: '6'.
Relevant code snippets
Regression
No response
Expected behavior
Using SAML tracer on the browser I can see that after providing the credentials Azure AD post back to my app with a token. Using jwt.ms I can decode the token and it is valid and contains a "kid". The audience on that token is my client id which was provided on the configuration section. Why is the exception happening then? The authentication was successful, and the token is correct.