Access Token Signature validation fails
See original GitHub issueWhich Version of MSAL are you using ? 2.7.0
Which platform has the issue? .NET 4.6 / Win 10 1809
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
Repro
var Application = new PublicClientApplication(
ClientId,
"https://login.microsoftonline.com/organizations/");
var account = await Application.GetAccountsAsync()).FirstOrDefault();
var scopes = new[] { "user.read" };
var result = await Application.AcquireTokenAsync(scopes).ConfigureAwait(false);
var accessToken = result.AccessToken;
- Provide a
ClientId
value, put breakpoint to the last line, run the code and sign in to Azure. - Grab the
accessToken
value and put it into theEncoded
field at https://jwt.io/ - Write down the
kid
value shown in theDecode/header
field. Note: The tested tokens usedRS256
algorithm. - Open https://login.windows.net/common/discovery/keys, find the
kid
value and grab the appropriatex5c
string value. - Open a new file (call it
cert.cer
) and write in it
-----BEGIN CERTIFICATE-----
the grabbed x5c string value
-----END CERTIFICATE-----
-
Run
openssl x509 -pubkey -in cert.cer -text -noout
command and grab the public key-----BEGIN PUBLIC KEY … END PUBLIC KEY-----
-
Paste the public key into the
VERIFY SIGNATURE/Public key
field on the already opened https://jwt.io/ -
Notice that it show
invalid signature
bellow theEncoded
field.
The token was also tested using PHP openssl extension (via this, this and this library chain) and it also fails signature verification.
Expected behavior The signature verification succeeds and the signature is considered valid.
Actual behavior The signature verification fails that the signature is considered invalid.
Issue Analytics
- State:
- Created 5 years ago
- Comments:25 (12 by maintainers)
Top Results From Across the Web
Signature validation failed. Token does not have a kid. ...
The error is telling you the api tried to verify the token, but failed. The "kid" the api is complaining about is the...
Read more >Access Token validating fails with JWTSecurityTokenHandler
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfull validated....
Read more >Troubleshooting Signature validation errors
These signature validation errors are caused when the resource provider (not Azure AD) is unable to validate the signature of the token, ...
Read more >JWT access token signature validation failing - Ping Support
Here the issue is signature validating is failing while validating the access token. It would be great if you provide some solution or...
Read more >Access token fails validation
Right now I'm stuck at letting my API validate the access tokens. It fails with: “The Token's Signature resulted invalid when verified using ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks @jmprieur, you helped a lot.
@mcetkovsky is there a ‘nonce’ in the JwtHeader?