Search code examples
c#azure-active-directoryazure-ad-graph-apiverify

IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey

We have an Angular application that is using the capacitor-oauth2 Library to get tokens from our Azure AD and Azure B2C AD. when I have the Token from B2C I can verify it with following Code in my Program.cs and I can call my Controller Function

builder.Services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer("B2C", options =>
    {
        options.Authority = $"https://eisvogel2.b2clogin.com/eisvogel2.onmicrosoft.com/B2C_1_susi/v2.0/";
        options.Audience = $"6fba7d06-5b7a-41bd-8371-6f1ad6f3176c";
    });

But when I get a Token from our internal AD which is coming from MS Graph I can do what I want I always get the following Exception:

enter image description here

for this I'm using the code that the Studio is generating when creating a new Solution with authentication builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd")); and changed the Config enter image description here

I already tried the conclusions from various posts, but nothing really helps

I know there are a lot of similar posts, and I've been searching for 3 days now. It would be nice if someone could nudge me in the right direction.

Remark: I forgot to mention that I built the solution on .NET 6. are there any differences to the predecessors?

Solution

  • Thanks @kavya Saraboju for pointing me again to this post. After some more ding I understood that I have to use the same Scope on server and client side. And it must be the Scope name you can find under "Expose an API" in Azure that looks like this =>

    "Scopes": "api://xxxa2967-1111-2222-3333-xxx9c0d72231/tasks.read",

    I played around with so many Scopes like openid / starting with http:// just the Name nothing worked. So for all others: There are hundreds of examples out there with different ideas => just copy your Data from Azure and If you have more than one Application that has to deal with Azure AD, the configuration must be equal.