search

Azure-Samples / active-directory-b2c-dotnet-webapp-and-webapi

A combined sample for a .NET web application that calls a .NET web API, both secured using Azure AD B2C
http://aka.ms/aadb2c
MIT License
274 stars 236 forks source link

IDX10501 Signature validation failed when validating token #75

Closed sshiercir2 closed 3 years ago

sshiercir2 commented 4 years ago

We have a problem with token validation in our test system. We are using the OWIN middleware in OpenID connect.
The code we have was originally based off https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi .
The code has since been modified and customized and is in a .NET 4.6.1 MVC app.

We are getting SecurityTokenInvalidSignatureExceptions with the message "IDX10501 occurs here with this message: Signature validation failed. Unable to match keys: ..." The keys do match though.
We have discussed this with Microsoft and they have indicated to us that Azure settings are correct and that the error is likely occurring in the OWIN middleware.

Our config settings are as follows:

     private TokenValidationParameters _tokenValidationParameters
    {
        get
        {
            TokenValidationParameters tokenValidationParameters= new TokenValidationParameters
            {
                ValidateAudience = true,
                ValidAudience = ConfigurationManager.AppSettings["AzureClientId"],
                NameClaimType = "name",
                ValidateLifetime = true,
                ...other validation settings
            };
            return tokenValidationParameters;
        }
    }

Here are some of the config settings:

<add key="AzureClientId" value="13a4d1c2-231a-4946-a7db-f5e3903f74b6" />

Our token validation in Startup.cs looks like this:

        private Task OnMessageReceived(MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
        {
            string tokenBase64Encoded = string.Empty;
            try
            {
                SecurityToken validatedToken;
                JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
                tokenBase64Encoded = arg.ProtocolMessage.IdToken;
                var user = jwtSecurityTokenHandler.ValidateToken(tokenBase64Encoded, _tokenValidationParameters, out validatedToken);//will generate exception if invalid token
                return Task.FromResult(0);

            }
            catch (ArgumentException ex)
            {
                    ...Log and handle the error
            }
            ...Log  and handle other specific exceptions

            catch (SecurityTokenInvalidSignatureException ex)  //this exception is caught
            {       
                    ...Log and handle the error
            }
            catch (Exception ex)
            {
                    ...Log  and handle any other error
            }
         }

Our configuration method looks like this:

       public void Configuration(IAppBuilder app)
        {
            ...
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    MetadataAddress = MetadataAddress,\\MetadataAddress="https://cir2advisorstst.b2clogin.com/tfp/cir2advisorstst.onmicrosoft.com/B2C_1A_Signin_OpenID/v2.0/.well-known/openid-configuration"
                    ClientId = clientId,
                    RedirectUri = redirectUri, //redirectUri points to our test app
                    PostLogoutRedirectUri = redirectUri,
                    Scope = OpenIdConnectScope.OpenIdProfile,
                    ResponseType = OpenIdConnectResponseType.IdToken,
                    TokenValidationParameters = _tokenValidationParameters,
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        ...
                        MessageReceived = OnMessageReceived,
                        AuthenticationFailed = OnAuthenticationFailed,
                        ...other notifications handled.
                    }
                }
            );
        }

How can we prevent this SecurityTokenInvalidSignatureException?

Thanks, Steve

TiagoBrenck commented 4 years ago

Your app might be using custom keys. Could you try the MetadataAddress: https://cir2advisorstst.b2clogin.com/tfp/cir2advisorstst.onmicrosoft.com/B2C_1A_Signin_OpenID/v2.0/.well-known/openid-configuration?appid=<your-app-id> (replacing the value with your application appId)?

sshiercir2 commented 4 years ago

Tiago: I tried that using our Azure client id for the . Results are unchanged. Still get the same results with the same SecurityTokenInvalidSignatureException

TiagoBrenck commented 4 years ago

That is interesting. If you decode the JWT Token on https://jwt.ms/ , would the KID claim be the same value that you get from your key endpoint on your MetadataAddress?

sshiercir2 commented 4 years ago

Tiago: KID has the same value.

jmprieur commented 3 years ago

@sshiercir2 is the authority in your app the same as the issuer?

sshiercir2 commented 3 years ago

@jmprieur The issuer in my metadata was not the same as the authority. I made them the same by changing the authority and the result is the same IDX10501 error.

jmprieur commented 3 years ago

@sshiercir2 did you clear the cache of your client?

sshiercir2 commented 3 years ago

Yes cache was cleared, also run in Chrome dev tools with disable cache checked. Ran incognito as well. Error occurs all the time.

jmprieur commented 3 years ago

@sshiercir2 : please have a look at https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation which explains how to do the manual validation (which you are doing)

Proposing to close this issue as I believe I've answered, but feel free to reopen if you disagree.