Using a AD Custom Policy works on Azure portal but not .NET Core Web App

1
votes

I've created a custom IEF policy and uploaded this to my tenant. This works fine calling it from the Azure portal and I can see the JWT output which has a signature as this

From IEF application
{
  "typ": "JWT",
  "alg": "HS256",
  "kid": "XXXXXXXXXXXXX_XXXXXXXCSY"
}

However if I do a file>new .net core web project and use my B2C application id (Not my IEF one) and call the policy I get an error on the callback

Signature validation Unable to match key kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

Comparing the 2 JWTs generated, there is a difference in the signature

From B2C application
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "XXXXXXXXXXXXXXX-XXXXXXXNk"
}

I'm assuming my web app needs to validate a different issuer of the token. I've seen some information regarding a 'discovery' url, but how to do this using the out-of-the-box web solutions? I couldn't find much info on this at all.

1
azure-active-directoryazure-ad-b2c

1 Answers

0
votes

Found the culprit!

It was a case of RTFM on https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started?tabs=applications when generating the signing key.

I accidentally selected 'secret' instead of 'rsa' for the key type.

Deleting this signing key and recreating it correctly fixed this all up. Hope that helps someone down the line!