search

azure-ad-b2c / samples

Azure AD B2C custom policy solutions and samples.
846 stars 598 forks source link

JWTissuer - Keyset does not exist exception #621

Open MarijnCatthoor opened 5 months ago

MarijnCatthoor commented 5 months ago

We have implemented a custom policy based on the Invite sample. An Azure function generates an invite link which is mailed to the new user. That url directs the user to our Signup policy. All the steps in the signup policy are executed successfully (user is created), but in the last step (SendClaims) we get an exception: 

{
    "Kind": "FatalException",
    "Content": {
      "Time": "8:27 AM",
      "Exception": {
        "Kind": "Handled",
        "HResult": "80090016",
        "Message": "Keyset does not exist\r\n",
        "Data": {}
      }
    }
  }

This happens in the JWTIssuer TechnicalProfile from the TrustFrameworkBase policy:

<ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="JwtIssuer">
          <DisplayName>JWT Issuer</DisplayName>
          <Protocol Name="None" />
          <OutputTokenFormat>JWT</OutputTokenFormat>
          <Metadata>
            <Item Key="client_id">{service:te}</Item>
            <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
            <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
            <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
          </CryptographicKeys>
          <InputClaims />
          <OutputClaims />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

Which is called in the last step from the UserJourney:

<!-- Let the user fill in the signup form and create the account--> 
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSignUpWithReadOnlyEmail" TechnicalProfileReferenceId="LocalAccountSignUpWithReadOnlyEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Issue an access token for the newly created account-->
        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

The error message suggests an issue with the certificate used to sign the token, however the configuration seems ok. All certificates are in place.

Anyone encountered the same error message or can guide is in the correct direction to solve this?

gregcar commented 3 months ago

Did you manage to get this fixed? I've got the same problem. Following the invite flow instructions I uploaded my new cer file and issuer_secret key accordingly.

MarijnCatthoor commented 3 months ago

I wasn't working on solving this because of the vacation period, but the issue is still not fixed. I'm in contact with support and I'm working together with them in solving this. I'll post something here if we find a solution.