Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

IDX10501 Signature validation failed when validating token

See original GitHub issue

We have a problem with token validation in our test system. We are using the OWIN middleware in OpenID connect.
The code we have was originally based off .
The code has since been modified and customized and is in a .NET 4.6.1 MVC app.

We are getting SecurityTokenInvalidSignatureExceptions with the message “IDX10501 occurs here with this message: Signature validation failed. Unable to match keys: …” The keys do match though.
We have discussed this with Microsoft and they have indicated to us that Azure settings are correct and that the error is likely occurring in the OWIN middleware.

Our config settings are as follows:

     private TokenValidationParameters _tokenValidationParameters
            TokenValidationParameters tokenValidationParameters= new TokenValidationParameters
				ValidateAudience = true,
                ValidAudience = ConfigurationManager.AppSettings["AzureClientId"],
                NameClaimType = "name",
                ValidateLifetime = true,
				...other validation settings
            return tokenValidationParameters;

Here are some of the config settings: <add key="AzureTenant" value="f16af6eb-9396-4db0-b938-62c8cf9be01d" /> <add key="AzureClientId" value="13a4d1c2-231a-4946-a7db-f5e3903f74b6" />

Our token validation in Startup.cs looks like this:

        private Task OnMessageReceived(MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
            string tokenBase64Encoded = string.Empty;
                SecurityToken validatedToken;
                JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
                tokenBase64Encoded = arg.ProtocolMessage.IdToken;
                var user = jwtSecurityTokenHandler.ValidateToken(tokenBase64Encoded, _tokenValidationParameters, out validatedToken);//will generate exception if invalid token
                return Task.FromResult(0);

            catch (ArgumentException ex)
					...Log and handle the error
			...Log  and handle other specific exceptions
            catch (SecurityTokenInvalidSignatureException ex)  //this exception is caught
					...Log and handle the error
            catch (Exception ex)
					...Log  and handle any other error

Our configuration method looks like this:

       public void Configuration(IAppBuilder app)
                new OpenIdConnectAuthenticationOptions
                    MetadataAddress = MetadataAddress,\\MetadataAddress=""
                    ClientId = clientId,
                    RedirectUri = redirectUri, //redirectUri points to our test app
                    PostLogoutRedirectUri = redirectUri,
                    Scope = OpenIdConnectScope.OpenIdProfile,
                    ResponseType = OpenIdConnectResponseType.IdToken,
                    TokenValidationParameters = _tokenValidationParameters,
                    Notifications = new OpenIdConnectAuthenticationNotifications
                        MessageReceived = OnMessageReceived,
                        AuthenticationFailed = OnAuthenticationFailed,
                        ...other notifications handled.

How can we prevent this SecurityTokenInvalidSignatureException?

Thanks, Steve

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:9 (3 by maintainers)

github_iconTop GitHub Comments

TiagoBrenckcommented, Sep 10, 2020

Your app might be using custom keys. Could you try the MetadataAddress:<your-app-id> (replacing the value with your application appId)?

jmprieurcommented, Jan 25, 2021

@sshiercir2 : please have a look at which explains how to do the manual validation (which you are doing)

Proposing to close this issue as I believe I’ve answered, but feel free to reopen if you disagree.

Read more comments on GitHub >

github_iconTop Results From Across the Web

IDX10501: Signature validation failed. Unable to match keys
In my case, the same error was because of inadvertent use of the token received from one environment (https://dev/identity) and validated in ...
Read more >
IDX10501: Signature validation failed. Unable to match key ...
The Number of keys in TokenValidationParameters: '0' messages is uncommon. It states no keys have been found or loaded. Ensure Azure AD ...
Read more >
Signature validation failed. Unable to match key - Questions
Tokens.SecurityTokenSignatureKeyNotFoundException : IDX10501: Signature validation failed. Unable to match key: kid: I am generating my key via ...
Read more >
IDX10501: Signature validation failed. Unable to match key
Cause: The token issued by one node is signed with a different certificate than the node that is validating it as part of...
Read more >
net core - Signature validation failed. Unable to match key: kid
... depending on the tenant, however when trying to authorize the bearer token we get the following error:- Signature validation fai...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found