I added a working corporate login (EntraId) for my company in Azure AD B2C with custom policies.Now I can login and I add an access token to the claims, which I sent with my API-Calls Microsoft learn.
I extract this token from the claims of my b2c-iss id-token and add him in the header of my requests. As a response I get an 401 (Unauthorized) with the description:
Authentication Failed: IDX10511: Signature validation failed. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
This is the token I get:
{
"typ": "JWT",
"nonce": "<some id>",
"alg": "RS256",
"x5t": "<some id>",
"kid": "<some id>"
}.{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/<tenantId>/",
"iat": <some data>,
"nbf": <some data>,
"exp": <some data>,
"acct": 0,
"acr": "1",
"aio": "<some id>",
"amr": [
"pwd"
],
"app_displayname": "<display name>",
"appid": "<app id>",
"appidacr": "1",
"family_name": "<my family name>",
"given_name": "<my given name>",
"idtyp": "user",
"ipaddr": "<ip address>",
"name": "<my name>",
"oid": "<object id>",
"onprem_sid": "<some id>",
"platf": "3",
"puid": "<some id>",
"rh": "0.xy.",
"scp": "email openid profile User.Read",
"signin_state": [
"inknownntwk",
"kmsi"
],
"sub": "<some id>",
"tenant_region_scope": "EU",
"tid": "<tenant id>",
"unique_name": "<email>",
"upn": "<email>",
"uti": "<some id>",
"ver": "1.0",
"wids": [
"<some id>"
],
"xms_idrel": "1 10",
"xms_st": {
"sub": "<some id>"
},
"xms_tcdt": <some int>,
"xms_tdbr": "EU"
}.[Signature]
What am I doing wrong?
I searched a lot in some forums but didn't get any answer. I'm on this error since days and can't find anything working for the specific error.
Note that: The access token with aud 00000003-0000-0000-c000-000000000000
or https://graph.microsoft.com
is for Microsoft Graph API shouldn't be validated as the token is not meant for the application.
I got the same error when decoded the Microsoft Graph API token:
Hence do not validate the Microsoft Graph API tokens and call the API.
Only the tokens generated for the application by exposing the API and granting permissions can be validated.
And Grant API permissions:
Generate the access token by passing scope as https://b2c.onmicrosoft.com/xxx/Endpoint openid offline_access
and validate the scope like below:
<Item Key="scope">https://b2c.onmicrosoft.com/XXX/Enpoint</Item>
Reference: