1

I have setup MSAL to fetch tokens from Azure AD B2C, setup dotnet core WebAPI to accept JWT tokens. Pointed WebApi at the Authority Endpoint:

 services.AddAuthentication(options =>
        {
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(jwtOptions =>
        {
            string tenant = Configuration["AzureAdB2C:Tenant"], policy = Configuration["AzureAdB2C:Policy"], clientId = Configuration["AzureAdB2C:ClientId"];
            jwtOptions.Authority = $"https://login.microsoftonline.com/tfp/{tenant}/{policy}/v2.0/";
            jwtOptions.Audience = clientId;
            jwtOptions.Events = new JwtBearerEvents
            {
                OnAuthenticationFailed = AuthenticationFailed
            };
        });

as per the samples. MSAL is configured to use the same policy and same client Id and receives token.

MSAL Authority - https://login.microsoftonline.com/tfp/{tenant}.onmicrosoft.com/{policy}/v2.0.

However, that AuthFailed event handler just returns
IDX10501: Signature validation failed. Unable to match keys.
and bounces the auth as a 401.

I went looking for signing keys and the kid of the token is not the same as the kid listed at the discovery endpoint.

https://login.microsoftonline.com/tfp/{tenant}/{policy}/discovery/v2.0/keys

Any ideas?

Improve this question
5
  • 2
    You must not be getting tokens from that location then. Who was the iss of the token? Commented Apr 23, 2018 at 0:29
  • 1
    https://login.microsoftonline.com/{guid}/v2.0, This wasn't the same as the one configured in the portal. Will test later! Commented Apr 23, 2018 at 6:54
  • @spottedmahn, hole-in-one! Configured the portal to return the iss claim in the shorter format and everything works. Commented Apr 23, 2018 at 20:13
  • Nice! You should post an answer... how did you configure it in the portal? Love the golf reference btw 😉 Commented Apr 23, 2018 at 20:18
  • Can you add your authority value of msal.js? Reference Commented Apr 24, 2018 at 12:19

1 Answer 1

Reset to default
3

Azure Policy SSO Options

Seems that I had not selected the correct Issuer claim setting. MSAL was grabbing its token using the https://login.microsoftonline.com/{guid}/v2.0 endpoint whereas WebAPI was using the https://login.microsoftonline.com/tfp/{guid}/{policy}/v2.0/ issuer.

As per the docs this isn't an openid compatible endpoint, but works fine for B2C. Pays to check over the two different claim sets!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

FYI, you can use the Gaussian Blur in pain.net to redact information (instead of trying to black stuff out).