Azure b2c error: IDX10501: Signature validation failed. Unable to match key: kid: 'gLv****************'

0
votes

I am authenticating asp.net mvc app against azure b2c, following startup.cs file code details:

public void ConfigureAuth(IAppBuilder app)
        {
            IdentityModelEventSource.ShowPII = true;
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    // Generate the metadata address using the tenant and policy information
                    MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),

                    // These are standard OpenID Connect parameters, with values pulled from web.config
                    ClientId = Globals.ClientId,
                    RedirectUri = Globals.RedirectUri,
                    PostLogoutRedirectUri = Globals.RedirectUri,

                    // Specify the callbacks for each type of notifications
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                        AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                        AuthenticationFailed = OnAuthenticationFailed,
                    },

                    // Specify the claim type that specifies the Name property.
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        NameClaimType = "name",
                        ValidateIssuer = false

                    },

                    // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
                    Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}"
                });
}

Its giving below error when using custom policy: IDX10501: Signature validation failed. Unable to match key: kid: 'gL****************'. Exceptions caught: ''. token: typ":"JWT","alg":"RS256","kid":"gL****************"}. {"exp":1599625561,"nbf":1599621961,"ver":"1.0","iss":......................}

I have verified this key and token exactly same as I am getting from https://jwt.ms. Its only throwing error while I am using custom policy, if I use built in policy its working as expected.

Any help what is missing here?

Thanks.

1
c#asp.net-mvcowinazure-ad-b2cazure-ad-b2c-custom-policy
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy) - Are you updating Globals.DefaultPolicy to the custom policy name while switching?krishg
yes I have update it correct policy name and it executes policy as well. It gives signin screen but once I login user credentials and redirect back to my mvc app, it throws signature invalid error. Surprisingly kid and other token details are correct (I have verified by running custom policy from portal and verified token details at jwt.ms).Vikas
Ok thanks. It looks like some mismatch of signing key. So, I would still focus on the wellknown MetadataAddress you are setting. Can you post the actual url (after masking actual names of course) it's forming after the string.Format? Does it look like https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/v2.0/.well-known/openid-configuration?krishg
Yes metadata address creates like this : tenantname.b2clogin.com/tfp/tenantname.onmicrosoft.com/…. I have also tried to remove {tfp} from url and built like yours but still getting same error.Vikas
I have recreated both B2C_1A_TokenEncryptionKeyContainer and B2C_1A_TokenSigningKeyContainer, as mentioned [(docs.microsoft.com/en-us/azure/active-directory-b2c/…) , and that fixed the issue. Also {tfp} is required as part of metadata endpoint otherwise it throws error even after receiving valid code.Vikas

1 Answers

0
votes

As confirmed, it was problem with Signing key and Encryption key in your custom policy. Creating both correctly fixed the issue.

Create the signing key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Signature.
  6. Select Create.

Create the encryption key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Encryption.
  6. Select Create.