For an existing Angular & .NET Core 2.2 App I have configured an optional Microsoft Azure AD login, but the IIS server aways tells me that the token's signature is invalid. This can be seen in a request to an API annotated with [Authorize]:
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"
I have copied the exact token that was sent by the Microsoft-Server, after successfully logging into an organization Account.
These are the settings in the startup.cs file:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer("AzureAD", options =>
{
// Example: “https://login.microsoftonline.com/contoso.onmicrosoft.com”
options.Authority = "https://login.microsoftonline.com/"+Configuration["AzureADTenant"];
options.Audience = Configuration["AzureADTenant"];
options.RequireHttpsMetadata = false;
//for testing, no difference to before
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = false,
};
})....;
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Default", "AzureAD")
.Build();
});
And here is the msalConfig:
export const msalConfig: Configuration = {
auth: {
clientId: 'my-client-id', // This is the ONLY mandatory field that you need to supply.
authority: 'https://login.microsoftonline.com/my-client-id/', // Defaults to "https://login.microsoftonline.com/common"
redirectUri: '/', // Points to window.location.origin. You must register this URI on Azure portal/App Registration.
postLogoutRedirectUri: '/', // Indicates the page to navigate after logout.
navigateToLoginRequestUrl: true, // If "true", will navigate back to the original request location before processing the auth code response.
},
cache: {
cacheLocation: BrowserCacheLocation.LocalStorage, // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO between tabs.
storeAuthStateInCookie: isIE, // Set this to "true" if you are having issues on IE11 or Edge
},
system: {
loggerOptions: {
loggerCallback(logLevel: LogLevel, message: string) {
console.log(message);
},
logLevel: LogLevel.Verbose,
piiLoggingEnabled: false
}
}
}
I tried several variations of the authority-URL but it showed no difference. The same values are configured in the frontend. Any ideas why the signature might be invalid?
Please make sure , you are providing correct values for audience and authority in start up class.
Audience must be Client Id of the app or some times app id uri according the application .
When you made a request for a token ,check if scope is ["User.Read"] which is for calling Microsoft graph. As you need to call your api of the app , make sure to provide the scope for your web api exposed in the portal.
For that select the API permissions section in AAD portal for the app.
Before that we need to Select the Expose an API section, and Click Set next to the Application ID URI to generate a URI that is unique for this app (in the form of api://{clientId}).
Make sure this scope is given in the frontend app . See msal auth-config.ts (github.com)
Then retry and decode the obtained token in https://jwt.io and see if issuer i.e
Also check if audience i.e;
issvalue has v1 or v2 endpoint. Make sureaccessTokenAcceptedVersionpresent in manifest in portal isset to 2 if v2is the endpoint.else null or 1 for v1 .audvalue is equal toclient idwhich has to be.Reference:
msal call-api (github.com)