This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 30%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVT%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT ,
I have referred code sample from here and used in my asp.net mvc app to authenticate using b2c service. If I add user flow policy for sign-in/sign-up its working as expected, but if user my custom policy for sign-in/sign-up user and after entering credentials I am getting following error on my asp.net mvc app:
IDX10501: Signature validation failed. Unable to match key: kid: 'System.String'. Exceptions caught: 'System.Text.StringBuilder'. token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
I looked around this issue and seems like some problem with authority or metadata endpoint. I also have tried to hard code custom policy well known meta data endpoint from portal and still getting same error.
Could you please help and point me to correct direction what I am missing here?
Thanks for your help in advance.
Hello @Vikas Tiwari
This issue occurs due to mismatch in the key id that your application is getting from the JWKS_uri in the metadata and the KID value in the token issued by B2C. In case of custom policy, we specify the TokenSigningKeyContainer name in the policy files, which contains the token signing key. The KID of this key must match with the KID at the jwks_uri (keys endpoint) and the KID in the token issued by B2C to the application.
You can capture a fiddler trace to compare the value of KID in the keys endpoint and the token.
I also tested the sample with my custom policy file but didn't encounter any such issue.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @AmanpreetSingh-MSFT I have found the issue, looks like some wrong options selected when first time I created B2C_1A_TokenSigningKeyContainer and B2C_1A_TokenEncryptionKeyContainer. I have recreate new keys and it fixed the issue.
Thanks again for your help on all my b2c questions.
@Vikas Tiwari · Thank you for the confirmation.
Thanks @AmanpreetSingh-MSFT for your help again.
I have verified KID values (see below) all are matching values:
JWKS_uri endpoint value:
{
"keys": [
{"kid":"gLfcajUCZIDz73djIKAapxKEYzwxYTuwETvG1NlN8CY","use":"enc","kty":"RSA","e":"AQAB","n":"xAeqk9hpczYK_lEVezvw6ttFU5UUFj5tm5G-o7FXmFbjRIyZUAe28rZtGO5F3Y6ZeXtGJ3CJP9yybfLgsGi3Bjhpisxcs16-0OnOuyP7twpXogG2ovZDtoew93_b4ScjVZsLT3KkUcTNHHjbQZrtJm0Gx_Pj3FL4IkGf_L5bHJ0FIFCpEPVnBvzbjb4MBzug600kwwYc6M66K94cEv0dPAK3bvDeXO0AJnyW1zXjLUewr9gkAlNBf1aVScfMLqAdk5B-h_1R7RckW-NSg0WK7zfN0-ubYe7iCFpAbJfDZ3q8OlL5JRlYNxal8rpmsd9LM1_KLvz5LY2gFeem19fL2Q"}
]
}
TokenSigningKeyContainer:
B2C issued token:
Still I am getting same error when all kid values are same. Although error details clearly saying kid value mismatch but its matching all places.
For some reason I am unable to post details under comment section, so posting here as another answer.
In the Startup.Auth.cs of the webapp, please check what TokenValidationParameters you have added. Below is what we have in the sample:
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
ValidateIssuer = false
}
You can try using these parameters and test again.
Thanks @AmanpreetSingh-MSFT , yes I have used same properties as you mentioned above. I haven't change any code from sample github code just replaced my tenant details and policy name.
Also I tried to add showPII = true to get exact error and found below:
IDX10501: Signature validation failed. Unable to match key: kid: 'gLfcajUCZIDz73djIKAapxKEYzwxYTuwETvG1NlN8CY'.
Exceptions caught: ''. token:
typ":"JWT","alg":"RS256","kid":"gLfcajUCZIDz73djIKAapxKEYzwxYTuwETvG1NlN8CY"}.
{"exp":1599625561,"nbf":1599621961,"ver":"1.0","iss":"https://mytenant.b2clogin.com/TenantId/v2.0/",
"sub":"cfa************","aud":"b59**************",
"acr":"b2c_1a_username_susi",
"nonce":"637352187617************************************",
"iat":1599621961,"auth_time":1599621961,
"signinname":"********",
"name":"************",
"given_name":"**********",
"family_name":"**********",
"c_hash":"hGW9***************"}'.
I have validated and all values are exactly same as showing in https://jwt.ms, except exp and nbf properties but kid is same.
Would it be possible for you to share Startup file details, I can cross check with mine where its going wrong? or maybe if you know any sample code which has published specifically for custom policy?
Thanks again for your help on this.
@Vikas Tiwari You can try configuring the policy files from scratch by downloading starter pack from here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip and use SocialandLocalAccounts template. All samples here are for both user flows and custom policies. There is no sample specifically for custom policies.
Thanks @AmanpreetSingh-MSFT I have created fresh policies as suggested using SocialandLocalAccounts template but still no luck. Though I had to modify the policy as our user are using system assigned username but I was getting same error.
What confusing me here is, app working correctly if I add a built-in user flow for signin/signup. It only throws error when switch to custom policy, looks like some difference at policy level which is causing issue. I will keep troubleshooting it more, its driving me crazy.
Thanks again for your help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 93%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi @Vikas Tiwari have you figured out a solution for this?
I am experiencing the exact same issue.
Hi @Cowlephant Yes I was able to fixed the issue. For my case it was wrong details under TokenSigningKeyContainer in custom policy once I corrected the values its started working.
I would suggest to compare your policy file with github sample (mentioned above in my question) and make sure your container name and other values are correct, or just try to download policy from github sample and change it carefully with correct values. All the best.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 84%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi Did you figured out the issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 1%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
Hello @Vikas Tiwari after you corrected the TokenSigningKeyContainer values does both built-in user flow and custom policy JWT token Kid values are same?