JWT token. Error “AADSTS700027: Client assertion contains an invalid signature”

2
votes

I need to get OAuth2 Access Token from Azure Active Directory. For this, I am using certificate based method. I have uploaded .crt file to Azure AD and got the certificate thumbprint from the Azure AD UI.

Now I am generating JWT token from JWT.io and trying it using postman. But I always get the following error: "AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client"

I am not sure what could be causing this. In JWT.io I am entering Base64 encoded thumbprint of public certificate (which I uploaded on Azure AD) as x5t parameter. This thumbprint I got from Azure portal UI as mentioned above.

In JWT.io I am entering public (crt) and private (key) certificates under "Verify Signature" and can see that the signature has matched.

Please let me know if anyone has any idea about this.

2
oauth-2.0jwtazure-active-directorypostmanjwt-auth
Could you show the code you are trying to use?juunas
If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See meta.stackexchange.com/questions/5234/… can be beneficial to other community members. Thank you.Carl Zhao

2 Answers

1
votes

As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.

Check the format of your JWT token at https://jwt.io/, you can refer to this and certificate credentials:

Header

{
  "alg": "RS256",
  "typ": "JWT",
  "x5t": "<Base64 Thumbprint>"
}

Payload

{
  "iss": "<clientid>",
  "sub": "<clientid>",
  "exp": 1570838377 (expiration time),
  "jti": "<random unique identifier>",
  "aud": "https://<token-endpoint>"
}

Drop your private key in to the bottom verify-er which will sign your JWT in the "Encoded" window.

I found some cases for your reference, I hope it can help you: https://community.dynamics.com/crm/f/microsoft-dynamics-crm-forum/320069/authentication-to-dynamics-365-using-azure-apps and https://github.com/AzureAD/passport-azure-ad/issues/453

0
votes

I wanted to share with you that I get this exact same error if I request an access token using a new certificate, right after I just added the new certificate to my AAD app via MS Graph (/addKey). If I immediately try again without changing anything, it is successful. It doesn't seem to matter how long I wait before the 1st try, it's like it needs to fail once before the new cert is ready for use. If I upload certs in the GUI, the issue never surfaces.

I know it's not the same issue you're having, but it's worth knowing what else AAD will give this exact error message for.