Reputation: 8203
AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxx'
I have three applications participating the AzureAD OBO flow :
Angular FrontEnd --> Registered with AzureAD as OIDC app
ASP.NET Core Web API --> Registered with AzureAD as SAML app
NAV OData Service --> Registered with AzureAD as SAML app
Here goes the complete flow :
Angular frontend application signs a user into Azure AD and request a delegated access token for Web API 1 (ASP.NET Core Web API)
Client application then calls Web API 1 with the issued access token
Web API 1 in turn needs to call a downstream Web API 2 (NAV OData Services) so it uses its access token (in step 2 above) to request an access token for Web API 2. What happens in this step is that Web API 1 uses the OBO flow to exchange its access token for another resource’s access token. The exchanged token is still issued on behalf of the original sign in user and it has delegated permission.
Web API 1 uses the new access token to call Web API 2
In the above I am getting error in the Step 3.
Error details :
One or more errors occurred. (AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']
Trace ID: afc20e5e-ebea-4546-af4b-820f48083e01
Correlation ID: b5d8d7b5-52d1-430d-af81-d34918970831
Timestamp: 2021-05-03 11:35:25Z)
Can anyone help me here by providing their guidance to fix this issue?
In this case Angular Front is using implicit flow.
https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/authorize?response_type=token&scope=api://xxxx--<WEB API 1>.default%20openid%20profile&client_id=<Application (client) ID>&redirect_uri=<ApplicationURL>&state=xxxx&nonce=yyyy&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&[email protected]&client-request-id=yyyyyy&prompt=none&response_mode=fragment
Here goes the id_token received :
{
"aud": "<Application (client) ID>",
"iss": "https://login.microsoftonline.com/<tenantid>/v2.0",
"iat": 1620380572,
"nbf": 1620380572,
"exp": 1620384472,
"aio": "AWQAm/8TAAAAIVowa1CNNUEB/tB/OcgatUBo9SzDJch09USynyiE+S+be6xkV9TczjRol4Td0czWrdsrzoqDBHUQxbAcnPT90InTNwLfYeHon5Vvk6eFsn2omrgpYlCj90QIXtIoduhd",
"email": "[email protected]",
"name": "mytestaccount, mytestaccount",
"nonce": "078bca2a-35ef-457d-96d8-92db7ac3d106",
"oid": "96035811-49f6-4246-923f-4edba4555e14",
"preferred_username": "[email protected]",
"rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
"sub": "BAc2RwnOjKjv8vxtS0zOSQ0kgQ74zEvWJDmWnMoWdyM",
"tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
"uti": "8r7u-zYcr0GSNUdl4STUAQ",
"ver": "2.0"
}
Access token for accessing WEB API 1:
{
"aud": "api://xxxx--<WEB API 1>",
"iss": "https://sts.windows.net/36da45f1-dd2c-4d1f-af13-5abe46b99921/",
"iat": 1620380574,
"nbf": 1620380574,
"exp": 1620384474,
"acr": "1",
"aio": "AVQAq/8TAAAAoi/awR8N8P1eapXNZfcGKhsy9uKyL6qv77raeIKYLOyZjXtsVKXMELCu+qZvKJtSaYm/nemvyUPc2OvJiPrvwpwrteqSU1iYM5C4xfPTxHo=",
"amr": [
"pwd",
"rsa",
"mfa"
],
"appid": "<Application (client) ID>",
"appidacr": "0",
"deviceid": "b55e39a3-f492-4679-83e2-53fcd024beba",
"email": "[email protected]",
"family_name": "mytestaccount",
"given_name": "mytestaccount",
"ipaddr": "xx.xx.xx.xx",
"name": "mytestaccount, mytestaccount",
"oid": "96035811-49f6-4246-923f-4edba4555e14",
"onprem_sid": "S-1-5-21-238447276-1040861923-1850952788-976396",
"rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
"scp": "user_impersonation",
"sub": "F5atxEe7z2ooojdNoFhaAG_Xs2SBnnkYKJ4yCCWT1HA",
"tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
"unique_name": "[email protected]",
"upn": "[email protected]",
"uti": "ll2WpznLGEq23DrUk4eoAQ",
"ver": "1.0"
}
Upvotes: 2
Views: 10739
Answers (1)
Reputation: 9519
I can get access tokens for api 1 and api 2. This is my test process:
First, I made the api of api 1 expose, and added client application.
Next, use the implicit flow to obtain the access token of the middle layer api 1. Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid api://{api 1 client id}/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Parse the access token of api 1.
Next, expose the api of api 2 and add api 1 as a client application.
Finally, use OBO flow to get the access token of api 2 (note: the assertion parameter is the access token of api 1).
Parse the access token of api 2.
Upvotes: 5
Related Questions
- Cannot validate AAD access token - IDX10511: Signature validation failed
- IDX10501: Signature validation failed. Unable to match keys
- Azure AD token verification failed , "level":30,"msg":"authentication failed due to: invalid signature"
- Receiving the error message of IDX10501: Signature validation failed. Unable to match keys when using Azure AD
- Azure AD B2C error - IDX10501: Signature validation failed
- IDX10501: Signature validation failed. Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
- AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided
- Error AADSTS90002 on aquire authentication token for Dynamics 365
- Invalid signature while validating Azure ad access token
- Azure Active Directory, IDX10500: Signature validation failed