Azure b2c error: IDX10501: Signature validation failed. Unable to match key: kid: 'gLv****************'

Question

I am authenticating asp.net mvc app against azure b2c, following startup.cs file code details:

public void ConfigureAuth(IAppBuilder app)
        {
            IdentityModelEventSource.ShowPII = true;
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    // Generate the metadata address using the tenant and policy information
                    MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),

                    // These are standard OpenID Connect parameters, with values pulled from web.config
                    ClientId = Globals.ClientId,
                    RedirectUri = Globals.RedirectUri,
                    PostLogoutRedirectUri = Globals.RedirectUri,

                    // Specify the callbacks for each type of notifications
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                        AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                        AuthenticationFailed = OnAuthenticationFailed,
                    },

                    // Specify the claim type that specifies the Name property.
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        NameClaimType = "name",
                        ValidateIssuer = false

                    },

                    // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
                    Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}"
                });
}

Its giving below error when using custom policy: IDX10501: Signature validation failed. Unable to match key: kid: 'gL****************'. Exceptions caught: ''. token: typ":"JWT","alg":"RS256","kid":"gL****************"}. {"exp":1599625561,"nbf":1599621961,"ver":"1.0","iss":......................}

I have verified this key and token exactly same as I am getting from https://jwt.ms. Its only throwing error while I am using custom policy, if I use built in policy its working as expected.

Any help what is missing here?

Thanks.

Answer 1

As confirmed, it was problem with Signing key and Encryption key in your custom policy. Creating both correctly fixed the issue.

Create the signing key

1. Select Policy Keys and then select Add.
2. For Options, choose Generate.
3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
4. For Key type, select RSA.
5. For Key usage, select Signature.
6. Select Create.

Create the encryption key

1. Select Policy Keys and then select Add.
2. For Options, choose Generate.
3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
4. For Key type, select RSA.
5. For Key usage, select Encryption.
6. Select Create.