Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
I added a working corporate login (EntraId) for my company in Azure AD B2C with custom policies.Now I can login and I add an access token to the claims, which I sent with my API-Calls Microsoft learn.
I extract this token from the claims of my b2c-iss id-token and add him in the header of my requests. As a response I get an 401 (Unauthorized) with the description:
Authentication Failed: IDX10511: Signature validation failed. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
This is the token I get:
{
"typ": "JWT",
"nonce": "<some id>",
"alg": "RS256",
"x5t": "<some id>",
"kid": "<some id>"
}.{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/<tenantId>/",
"iat": <some data>,
"nbf": <some data>,
"exp": <some data>,
"acct": 0,
"acr": "1",
"aio": "<some id>",
"amr": [
"pwd"
],
"app_displayname": "<display name>",
"appid": "<app id>",
"appidacr": "1",
"family_name": "<my family name>",
"given_name": "<my given name>",
"idtyp": "user",
"ipaddr": "<ip address>",
"name": "<my name>",
"oid": "<object id>",
"onprem_sid": "<some id>",
"platf": "3",
"puid": "<some id>",
"rh": "0.xy.",
"scp": "email openid profile User.Read",
"signin_state": [
"inknownntwk",
"kmsi"
],
"sub": "<some id>",
"tenant_region_scope": "EU",
"tid": "<tenant id>",
"unique_name": "<email>",
"upn": "<email>",
"uti": "<some id>",
"ver": "1.0",
"wids": [
"<some id>"
],
"xms_idrel": "1 10",
"xms_st": {
"sub": "<some id>"
},
"xms_tcdt": <some int>,
"xms_tdbr": "EU"
}.[Signature]
What am I doing wrong?
I searched a lot in some forums but didn't get any answer. I'm on this error since days and can't find anything working for the specific error.
Note that: The access token with aud 00000003-0000-0000-c000-000000000000 or https://graph.microsoft.com is for Microsoft Graph API shouldn't be validated as the token is not meant for the application.
- Microsoft Graph API tokens use a bit different for signing and you cannot use the same methods to validate Microsoft Graph API tokens.
- The tokens generated for the custom API, or the application must be validated only.
I got the same error when decoded the Microsoft Graph API token:
Hence do not validate the Microsoft Graph API tokens and call the API.
Only the tokens generated for the application by exposing the API and granting permissions can be validated.
And Grant API permissions:
Generate the access token by passing scope as https://b2c.onmicrosoft.com/xxx/Endpoint openid offline_access and validate the scope like below:
<Item Key="scope">https://b2c.onmicrosoft.com/XXX/Enpoint</Item>
Reference:
- ADF Out of memory exception
- Azure DevOps pipeline is throwing a "##[error]Project file(s) matching the specified pattern were not found". when publishing my app?
- Microsoft Entra ID: Receiving Old Token Version Despite Setting accessTokenAcceptedVersion to 2
- Rule Syntax for Azure user.memberof
- (unknown) Precondition failed when trying to create MS Graph Subscription
- Azure Function App Service Bus Trigger: Process 1 message at a time
- Azure HTTP Trigger - How to extract query parameter value from input binding- cosmosDB
- Python app deployment to Azure web app from pipeline not including requirement packages
- Force Azure Function using Service Bus Queues to only process one mesage at a time
- Azure Web Role with Transient Fault Handling Block exception: The path is too long after being fully qualified
- Azure Bicep - How to create diagnostic settings for NetworkInterface of private endpoint
- Is there a way to get static ip address for Azure Data Factory
- azure key vault - lag on secret changes
- How to create connection to create - queue item - HTTP Trigger - local - Azurite - Azure Queue Storage
- Getting error "404 The specified blob does not exist" when downlading blob using Uri
- How scopes are added to token in Azure Entra ID?
- Why does my Azure Cosmos DB SQL API Container Refuse Multiple Items With Same Partition Key Value?
- Postgres on Azure kubernetes volume permission error
- Azure: Subscribing to an external MQTT Broker
- azure.storage.blob._shared.authentication.AzureSigningError: Incorrect padding - Argo workflow
- Bash variable in JMESPath query expression
- Azure Devops pipeline failing due to AZ.Accounts Module update by MSFT
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- Access Package Endpoint doesn't seem to be working
- install docker bash script doesn't work when used as Custom Data for Azure VM
- Docker image is not updating on Azure container registry via gitlab
- Terraform - How to find Azure Kubernetes AKS vnet ID for network peering
- Using Azure DataLakeServiceClient to download a file got forbidden response after few minutes success
- Verify that Bicep can return values from Azure Key vault