Azure B2C - JWT Signature validation failed

1
votes

I have setup MSAL to fetch tokens from Azure AD B2C, setup dotnet core WebAPI to accept JWT tokens. Pointed WebApi at the Authority Endpoint:

 services.AddAuthentication(options =>
        {
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(jwtOptions =>
        {
            string tenant = Configuration["AzureAdB2C:Tenant"], policy = Configuration["AzureAdB2C:Policy"], clientId = Configuration["AzureAdB2C:ClientId"];
            jwtOptions.Authority = $"https://login.microsoftonline.com/tfp/{tenant}/{policy}/v2.0/";
            jwtOptions.Audience = clientId;
            jwtOptions.Events = new JwtBearerEvents
            {
                OnAuthenticationFailed = AuthenticationFailed
            };
        });

as per the samples. MSAL is configured to use the same policy and same client Id and receives token.

MSAL Authority - https://login.microsoftonline.com/tfp/{tenant}.onmicrosoft.com/{policy}/v2.0.

However, that AuthFailed event handler just returns
IDX10501: Signature validation failed. Unable to match keys.
and bounces the auth as a 401.

I went looking for signing keys and the kid of the token is not the same as the kid listed at the discovery endpoint.

https://login.microsoftonline.com/tfp/{tenant}/{policy}/discovery/v2.0/keys

Any ideas?

1
azureazure-ad-b2cmsal
You must not be getting tokens from that location then. Who was the iss of the token? - spottedmahn
https://login.microsoftonline.com/{guid}/v2.0, This wasn't the same as the one configured in the portal. Will test later! - tobyd
@spottedmahn, hole-in-one! Configured the portal to return the iss claim in the shorter format and everything works. - tobyd
Nice! You should post an answer... how did you configure it in the portal? Love the golf reference btw 😉 - spottedmahn
Can you add your authority value of msal.js? Reference - spottedmahn

1 Answers

3
votes

Azure Policy SSO Options

Seems that I had not selected the correct Issuer claim setting. MSAL was grabbing its token using the https://login.microsoftonline.com/{guid}/v2.0 endpoint whereas WebAPI was using the https://login.microsoftonline.com/tfp/{guid}/{policy}/v2.0/ issuer.

As per the docs this isn't an openid compatible endpoint, but works fine for B2C. Pays to check over the two different claim sets!