Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. #744

Open
mrivasa opened this issue Nov 30, 2023 · 1 comment
Open

SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. #744

mrivasa opened this issue Nov 30, 2023 · 1 comment
Labels
question Further information is requested

Comments

@mrivasa
Copy link

mrivasa commented Nov 30, 2023

Microsoft.Identity.Web version

2.16

Web app sign-in

1-WebApp-OIDC/1-1-MyOrg

Web API (call Graph or downstream APIs)

Not applicable

Deploy to Azure

Not applicable

Auth Z

Not applicable

Description

Running the application after creating it following the instructions from the readme file I get the follwing error:

SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed ...

Reproduction steps

  1. Create the new solution using the following dotnet command.
    dotnet new mvc --auth SingleOrg --client-id <Enter_the_Application_Id_here> --tenant-id <yourTenantId> --domain <domainName.onmicrosoft.com>
  2. Make sure the client id (GUID), tenant id (GUID), and domain are the correct ones.
  3. Run the application.

Error message

Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '6'.
Exceptions caught:
'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Id Web logs

'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10264: Reading issuer signing keys from validation parameters and configuration.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10265: Reading issuer signing keys from configuration.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10243: Reading issuer signing keys from validation parameters.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10243: Reading issuer signing keys from validation parameters.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10265: Reading issuer signing keys from configuration.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10239: Lifetime of the token is valid.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Information: IDX10234: Audience Validated.Audience: 'XXXXXXXXX'
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Error: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '6'.

Relevant code snippets

Configuration:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "mydomain.onmicrosoft.com",
  "TenantId": "8 ... 3",
  "ClientId": "6 ... a",
  "CallbackPath": "/signin-oidc",
  "EnablePiiLogging": false
}

I have not changed anything on the c# code that was generated by the "dotnet new" command. But I think this is the relevant part:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));

Regression

No response

Expected behavior

Using SAML tracer on the browser I can see that after providing the credentials Azure AD post back to my app with a token. Using jwt.ms I can decode the token and it is valid and contains a "kid". The audience on that token is my client id which was provided on the configuration section. Why is the exception happening then? The authentication was successful, and the token is correct.
@mrivasa mrivasa added the question Further information is requested label Nov 30, 2023
@mrivasa
Copy link
Author

mrivasa commented Dec 1, 2023

I found a post on techcommunity.microsoft.com that shed light and helped me to resolve this issue.

ID token issued by AAD does not match public sign key

Basically, just add "?appid={your-app-guid}" to the well know openid configuration link used for metadata address. This is needed when custom claim mappings are configured in your application.

Example:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(opt =>
{
builder.Configuration.Bind("AzureAd", opt);
opt.MetadataAdrress = $"{opt.Instance}/{opt.TenantId}/v2.0/.well-known/openid-configuration?appid={opt.ClientId}";
});

Hope this helps somebody.

@mrivasa mrivasa changed the title Signature validation failed exception. SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Dec 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mrivasa