Azure AD-B2C error: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'

问题

I’m using Swagger to make API calls, for authentication I’m able to generate Bearer token but after that I' m getting 401 in response. After checking logs, below is the error: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]' My ConfigureAuth method is as below:

 private static void ConfigureAuth(IAppBuilder app)
    {
        var metadataEndpoint = string.Format(
            configProvider.GetConfigValue<string>("ida:AadInstance", "AuthConfig"),
            configProvider.GetConfigValue<string>("ida:Tenant", "AuthConfig"),
            configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"));

        string[] validAudiences = configProvider.GetConfigValue<string>("ida:Audiences", "AuthConfig").Split(',');
        TokenValidationParameters tvps = new TokenValidationParameters
        {
            ValidAudiences = validAudiences,
            AuthenticationType = configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"),
            ValidateAudience = true,
            ValidateIssuer = configProvider.GetConfigValue<bool>("validateIssuer", "AuthConfig"),
            ValidateLifetime = true,
            ValidAudience = configProvider.GetConfigValue<string>("Swagger:ClientId", "AuthConfig"),
            //NameClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier",
        };

        //SecurityToken securityToken;
        //JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
        app.UseOAuthBearerAuthentication(
            new OAuthBearerAuthenticationOptions
             {
                AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)),
                Provider = new OAuthBearerAuthenticationProvider()
                {
                    OnRequestToken = (context) =>
                    {
                        if (!string.IsNullOrEmpty(context.Token))
                        {
                        }

                        return Task.FromResult<int>(0);
                    },
                    OnValidateIdentity = (context) =>
                        {
                            ////TO DO
                            //// Steps to perform after identity validation

                            return Task.FromResult<int>(0);
                        }
                }
            });

}

回答1:

I was able to validate the token by passing the correct metadata endpoint. *

https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/.well-known/openid-configuration

*

回答2:

I had to update my OpenIdConnectAuthenticationOptions.MetadataAddress to https://login.microsoftonline.com/tfp/{tenantId}/{policyId}/v2.0/.well-known/openid-configuration.

回答3:

Turns out this is the same message that will be reported when the issuer signs the token with an algorithm other than RSA. Apparently ECDSA will be available soon: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/487

来源：https://stackoverflow.com/questions/51221979/azure-ad-b2c-error-idx10501-signature-validation-failed-unable-to-match-keys