I have an SPA application derived from the Identity Platform sample that originally calls a Graph API.
I've changed the endpoint to call a local API.
The SPA uses Azure AD for authentication.
The API sample is derived from the VS 2019 project template for API.
,NET 4.7.2 - no .NET Core.
I can authenticate OK and both ID and access tokens are present when I do a network trace.
However, on the API side I get an error:
"IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '1E50B4475DAC931359D564309A3385FFAB7FB431', InternalId: 'f61f7746-3cff-4557-8b2c-b47fad9cf1e3'. , KeyId: 1E50B4475DAC931359D564309A3385FFAB7FB431"
Decoding the access token shows:
"{
"typ": "JWT",
"nonce": "G0Q6_BuYJUfZaBnX-l1Ox1eoncxXRT4KMThFBcn1-VA",
"alg": "RS256",
"x5t": "HlC0R12skxNZ1WQwmjOF_6t_tDE",
"kid": "HlC0R12skxNZ1WQwmjOF_6t_tDE"
}"
Googling this, it appears that the signature fails because of the nonce in the header and this requires "special processing".
All the validation is being done by OWIN.
Any idea what this is or how to fix this?
I didn't think it was a configuration issue because I've never seen any configuration that specifies signature.
So I started looking through msal.js - it's open source.
"User.Read" (the scope defined in the sample I used) is hardcoded in a number of places so I removed this scope from the sample and created a dummy one called "abc".
I also reconfigured Azure AD for the scope change.
Lo and behold, everything worked.
Even more interesting, the header is different:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "HlC0R12skxNZ1WQwmjOF_6t_tDE",
"kid": "HlC0R12skxNZ1WQwmjOF_6t_tDE"
}
Notice that there is no nonce.
So I suspect that because the original sample used Microsoft Graph, "User.Read" implies some special Graph processing that adds the nonce that screws up the signature.
For reference.