Azure B2C OpenID external IDP ItsMe AADB2C90239: The provided token failed signature validation

Question

question

briactexier-1404 asked Apr 20, '22 EricVNH-3815 commented Jul 8, '22

Azure B2C OpenID external IDP ItsMe AADB2C90239: The provided token failed signature validation

Hello,

I'm trying to integrate Azure B2C with an external openID identity Provider called ItsMe : https://oidc.e2e.itsme.services/clientsecret-oidc/csapi/v0.1/.well-known/openid-configuration
I followed the steps described here : https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-itsme
Our external provider is configured with the following redirect-url : https://[tenantname].b2clogin.com/[tenantname].onmicrosoft.com/oauth2/authresp

But when I either runthe User Flows or my Custom Flow, I always receive the same error :
AADB2C90239: The provided token failed signature validation. Please provide another token and try again.

I added application insight to try to get more information, and the error occurs in step 2 with :

 "Kind": "HandlerResult",
 "Content": {
   "Result": true,
   "RecorderRecord": {
     "Values": [
       {
         "Key": "SendErrorTechnicalProfile",
         "Value": "OpenIdConnectProtocolProvider"
       },
       {
         "Key": "Exception",
         "Value": {
           "Kind": "Handled",
           "HResult": "80131500",
           "Message": "The provided token failed signature validation. Please provide another token and try again.",
           "Data": {
             "IsPolicySpecificError": false
           },
           "Exception": {
             "Kind": "Handled",
             "HResult": "80131501",
             "Data": {}
           }
         }
       }
     ]
   },

The step 2 being :

     <OrchestrationStep Order="2" Type="ClaimsExchange">
       <Preconditions>
         <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
           <Value>objectId</Value>
           <Action>SkipThisOrchestrationStep</Action>
         </Precondition>
       </Preconditions>
       <ClaimsExchanges>
         <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
         <ClaimsExchange Id="ItsmeExchange" TechnicalProfileReferenceId="Itsme-OIDC" />
         <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
         <ClaimsExchange Id="TrackSignInRequest" TechnicalProfileReferenceId="AppInsights-SignInRequest" />
       </ClaimsExchanges>
     </OrchestrationStep>

My Technical profile looks like this :

 <ClaimsProvider>
   <Domain>itsme.be</Domain>
   <DisplayName>itsme</DisplayName>
   <TechnicalProfiles>
     <TechnicalProfile Id="Itsme-OIDC">
       <DisplayName>itsme</DisplayName>
       <Protocol Name="OpenIdConnect" />
       <Metadata>
         <Item Key="ProviderName">itsme</Item>
         <Item Key="METADATA">https://oidc.e2e.itsme.services/clientsecret-oidc/csapi/v0.1/.well-known/openid-configuration</Item>
         <Item Key="authorization_endpoint">https://oidc.e2e.itsme.services/clientsecret-oidc/csapi/v0.1/connect/authorize</Item>
         <Item Key="scope">openid service:TEST_LOGIN</Item>
         <Item Key="response_types">code</Item>
         <Item Key="response_mode">form_post</Item>
         <Item Key="token_endpoint_auth_method">client_secret_post</Item>        
         <Item Key="HttpBinding">POST</Item>         
         <Item Key="UsePolicyInRedirectUri">false</Item>
         <Item Key="client_id">*MyClientID*</Item>
       </Metadata>
       <CryptographicKeys>
         <Key Id="client_secret" StorageReferenceId="B2C_1A_ItsmeSecret" />
       </CryptographicKeys> 
       <OutputClaims>
         <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="itsme" />
         <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
         <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
         <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
         <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
         <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
         <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />            
       </OutputClaims>
       <OutputClaimsTransformations>
         <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
         <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
         <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
         <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
       </OutputClaimsTransformations>
       <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />       
     </TechnicalProfile>
   </TechnicalProfiles>
 </ClaimsProvider>

I'm currently out of ideas... I was hoping to see the actual reponse from the external provider using application insight, but I couldn't find anything usuful...
Any help would be greatly appreciated...
Thanks !

Briac

azure-ad-b2c

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

briactexier-1404 · Apr 25 at 07:17 AM

I still didn't make it work...

But, I see my Idp is responding with a code, and if I use postman to manually request a token with the returned code, I successfully retrieve a token.
https://belgianmobileid.github.io/doc/authentication/#token-request

As per my Idp documentation, a secret key is used to authenticate to the token endpoint

How does Azure B2C validates the token signature when the token_endpoint_auth_method is set to client_secret_post ?
According to Microsoft documentation, the token_signing_algorithm parameter is only used when the token_endpoint_auth_method is set to private_key_jwt.

I'm therefore not sure how Azure B2C tries to validate the token signature...

0 ·

alfredorevilla-msft briactexier-1404 · May 11 at 03:39 AM

Hi @briactexier-1404, have you tried abiding to the exact values suggested by our doc? Like scope openid service:YOURSERVICECODE profile email [phone] [address], etc.

0 ·

briactexier-1404 alfredorevilla-msft · May 12 at 07:15 AM

Hi, thanks for the suggestion, but this is not working (invalid request).

The documentation says to use something like this : <Item Key="scope">openid service:YOURSERVICECODE email profile</Item>

When calling the token endpoint, I receive an Access Token (signed using a secret) and an id token (signed using public keys)
I can manually validate both, but I'm not sure how Azure B2C can handle this...

0 ·

Answer 1 · 2022-06-01T13:26:50.423Z

briactexier-1404 answered Jun 1, '22

Problem solved!

It was confirmed by Microsoft support team, that the algorithm used to validate the token must be the same as the authentication method.

In our case, we were using a client_secret (symmetric keys) to authenticate to the token endpoint, but the returned ID token was signed using a public key (asymmetric keys).

This is not supported by Azure B2C.

ItsMe switched the token signature algorithm (HS256), and now, B2C is able to validate the token's signature using the client secret.

Briac

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-06-14T09:09:02.567Z

EricVNH-3815 answered Jun 14, '22 EricVNH-3815 commented Jul 8, '22

Hi Briactexier-1404 !

I suppose you are from Belgium too :)

I'm working on a Xamarin.forms Android/Ios solution with Azure ADB2C and Itsme.

I use too a custom policy and all is working fine, but when I click on the Signin button in my Xamarin app, the Itsme page appears on screen as a web site. I have to encode my phone number, then to open manually the Itsme app, valid the connection, and finally i have to go back manually in my app to complete the flow.

At this step, the itsme flow is ok, but i can't manage to open directly the Itsme app when I click on the Signin button in my app.

In fact, the behavior is the same as a classic website on PC...

Have you succeeded in your Itsme integration in your mobile app ?

Thank you in advance,

Eric

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

briactexier-1404 · Jun 14 at 10:08 AM

Hi Eric,

Glad to hear that your custom policy works :)

I am not really involved in the mobile app development, so I won't be able to share a lot of information here...beside, we are in the early integration stage with itsme....

In the Azure B2C custom policy page 'Run policy settings' , if I copy the 'Run now Endpoint' url (https://myapp.b2clogin.com/myapp.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SIGNUP_SIGNIN&;... ), and I then run it from my mobile phone to start the flow (no cusotm layout or anything), I get the login screen and the itsme app opens itself, as you would expect...

Doesn't it do the same on your side ?

0 ·

EricVNH-3815 · Jun 14 at 10:19 AM

Thank you for your response !

From my side, when I start the policy on my phone (this policy contains only the Itsme provider), a page is opened and I have to encode my phone number, then open manually itsme app, valid the connection, then go back in the app, it's very constraining for our futur users

Can I share you a video screenasted from my phone ? as you could see what happens :)

Sorry for my english, i'm french speaking

0 ·

briactexier-1404 EricVNH-3815 · Jun 14 at 01:46 PM

Hey,
My engish is not better than yours :)
No need for a video, I see what you mean. As a matter of fact, I do have the same if I open a browser session in incognito mode.
With a cookie enabled session, if I check 'remember phone number' in ItsMe, then, next time, it will open the ItsMe app automatically... I didn't notice that...

0 ·

EricVNH-3815 briactexier-1404 · Jun 15 at 05:58 AM

I checked the option "remember my phone" but i have always the same behavior, it's frustrating :)

Do you have always issues with itsme flow in your xamarin app ?

If you would need help, don't hesitate, from our side all is ok now (except this browser page that should not appear)

Eric

0 ·

question