On behalf of flow returns AADSTS50013: Assertion failed signature validation

Question

I am using this package to authenticate the user from the react native mobile app. After acquiring the access token I am sending it to my .net WebAPI which tries to call ConfidentialClientApplication.AcquireTokenOnBehalfOf. Both the react native mobile app and the webapi are using the same client id from the azure app registration and scopes.

    public async Task<AuthenticationResult> AquireTokenOnBehalfOf(IEnumerable<string> scopes, string jwt)
    {
        var userAssertion = new UserAssertion(jwt);

        var res = await ConfidentialClientApplication.AcquireTokenOnBehalfOf(scopes, userAssertion).ExecuteAsync();

        return res;
    }

It returns the below error:

Microsoft.Identity.Client.MsalUiRequiredException: 'AADSTS50013: Assertion failed signature validation. [Reason - The provided signature value did not match the expected signature value., Thumbprint of key used by client: '9CEA37643ACE0D710AD63296857B251D1FCA5C48', Found key 'Start=12/21/2020 20:50:17, End=12/20/2025 20:50:17'] Trace ID: a03a5cf8-8d05-4bd2-a47a-ce3a1ce70e00 Correlation ID: 8b42b1c2-21bc-4d63-9b90-bafb81f83d32 Timestamp: 2021-02-23 14:13:26Z'

Github issue

I have Azure AD app setup as per this. I am not using the JWT bearer middleware though, but rather receiving the access token from the client and using it create a UserAssertion and call ConfidentialClientApplication.AcquireTokenOnBehalfOf

Am I misconfiguring something?

Thanks

Answer 1

I got this working by carefully following the example here. I hadn't configured what was required in the "Expose an API" blade of the app registration and subsequently hadn't added the new api permissions.