SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed.

[mrivasa]

Microsoft.Identity.Web version

2.16

Web app sign-in

1-WebApp-OIDC/1-1-MyOrg

Web API (call Graph or downstream APIs)

Not applicable

Deploy to Azure

Not applicable

Auth Z

Not applicable

Description

Running the application after creating it following the instructions from the readme file I get the follwing error:

SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed ...

Reproduction steps

1. Create the new solution using the following dotnet command.
   dotnet new mvc --auth SingleOrg --client-id <Enter_the_Application_Id_here> --tenant-id <yourTenantId> --domain <domainName.onmicrosoft.com>
2. Make sure the client id (GUID), tenant id (GUID), and domain are the correct ones.
3. Run the application.

Error message

Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '6'.
Exceptions caught:
'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Id Web logs

'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10264: Reading issuer signing keys from validation parameters and configuration.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10265: Reading issuer signing keys from configuration.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10243: Reading issuer signing keys from validation parameters.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10243: Reading issuer signing keys from validation parameters.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10265: Reading issuer signing keys from configuration.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: 'XXXXXXXXX'
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Error: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '6'.

Relevant code snippets

Configuration:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "mydomain.onmicrosoft.com",
  "TenantId": "8 ... 3",
  "ClientId": "6 ... a",
  "CallbackPath": "/signin-oidc",
  "EnablePiiLogging": false
}

I have not changed anything on the c# code that was generated by the "dotnet new" command. But I think this is the relevant part:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));

Regression

No response

Expected behavior

Using SAML tracer on the browser I can see that after providing the credentials Azure AD post back to my app with a token. Using jwt.ms I can decode the token and it is valid and contains a "kid". The audience on that token is my client id which was provided on the configuration section. Why is the exception happening then? The authentication was successful, and the token is correct.

[mrivasa]

I found a post on techcommunity.microsoft.com that shed light and helped me to resolve this issue.

ID token issued by AAD does not match public sign key

Basically, just add "?appid={your-app-guid}" to the well know openid configuration link used for metadata address. This is needed when custom claim mappings are configured in your application.

Example:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(opt =>
{
builder.Configuration.Bind("AzureAd", opt);
opt.MetadataAdrress = $"{opt.Instance}/{opt.TenantId}/v2.0/.well-known/openid-configuration?appid={opt.ClientId}";
});

Hope this helps somebody.