question

VikasTiwari-2263 avatar image
0 Votes"
VikasTiwari-2263 asked VikasTiwari-2263 commented

B2C : Error during authentication with custom policy

Hi @amanpreetsingh-msft ,

I have referred code sample from here and used in my asp.net mvc app to authenticate using b2c service. If I add user flow policy for sign-in/sign-up its working as expected, but if user my custom policy for sign-in/sign-up user and after entering credentials I am getting following error on my asp.net mvc app:

IDX10501: Signature validation failed. Unable to match key: kid: 'System.String'. Exceptions caught: 'System.Text.StringBuilder'. token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.

I looked around this issue and seems like some problem with authority or metadata endpoint. I also have tried to hard code custom policy well known meta data endpoint from portal and still getting same error.

Could you please help and point me to correct direction what I am missing here?

Thanks for your help in advance.



azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hello @VikasTiwari-2263

This issue occurs due to mismatch in the key id that your application is getting from the JWKS_uri in the metadata and the KID value in the token issued by B2C. In case of custom policy, we specify the TokenSigningKeyContainer name in the policy files, which contains the token signing key. The KID of this key must match with the KID at the jwks_uri (keys endpoint) and the KID in the token issued by B2C to the application.

23037-capture.jpg

You can capture a fiddler trace to compare the value of KID in the keys endpoint and the token.

I also tested the sample with my custom policy file but didn't encounter any such issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


capture.jpg (18.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft I have found the issue, looks like some wrong options selected when first time I created B2C_1A_TokenSigningKeyContainer and B2C_1A_TokenEncryptionKeyContainer. I have recreate new keys and it fixed the issue.

Thanks again for your help on all my b2c questions.

0 Votes 0 ·

@VikasTiwari-2263 · Thank you for the confirmation.

0 Votes 0 ·
VikasTiwari-2263 avatar image
0 Votes"
VikasTiwari-2263 answered

Thanks @amanpreetsingh-msft for your help again.

I have verified KID values (see below) all are matching values:

JWKS_uri endpoint value:
{
"keys": [
{"kid":"gLfcajUCZIDz73djIKAapxKEYzwxYTuwETvG1NlN8CY","use":"enc","kty":"RSA","e":"AQAB","n":"xAeqk9hpczYK_lEVezvw6ttFU5UUFj5tm5G-o7FXmFbjRIyZUAe28rZtGO5F3Y6ZeXtGJ3CJP9yybfLgsGi3Bjhpisxcs16-0OnOuyP7twpXogG2ovZDtoew93_b4ScjVZsLT3KkUcTNHHjbQZrtJm0Gx_Pj3FL4IkGf_L5bHJ0FIFCpEPVnBvzbjb4MBzug600kwwYc6M66K94cEv0dPAK3bvDeXO0AJnyW1zXjLUewr9gkAlNBf1aVScfMLqAdk5B-h_1R7RckW-NSg0WK7zfN0-ubYe7iCFpAbJfDZ3q8OlL5JRlYNxal8rpmsd9LM1_KLvz5LY2gFeem19fL2Q"}
]
}

TokenSigningKeyContainer:

23104-image.png

B2C issued token:


23007-image.png

Still I am getting same error when all kid values are same. Although error details clearly saying kid value mismatch but its matching all places.

For some reason I am unable to post details under comment section, so posting here as another answer.


image.png (47.9 KiB)
image.png (18.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered VikasTiwari-2263 commented

Hi @VikasTiwari-2263

In the Startup.Auth.cs of the webapp, please check what TokenValidationParameters you have added. Below is what we have in the sample:

 TokenValidationParameters = new TokenValidationParameters
                     {
                         NameClaimType = "name",
                         ValidateIssuer = false
                     }

You can try using these parameters and test again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VikasTiwari-2263 avatar image
0 Votes"
VikasTiwari-2263 answered VikasTiwari-2263 commented

Thanks @amanpreetsingh-msft, yes I have used same properties as you mentioned above. I haven't change any code from sample github code just replaced my tenant details and policy name.

Also I tried to add showPII = true to get exact error and found below:

IDX10501: Signature validation failed. Unable to match key: kid: 'gLfcajUCZIDz73djIKAapxKEYzwxYTuwETvG1NlN8CY'.
Exceptions caught: ''. token:
typ":"JWT","alg":"RS256","kid":"gLfcajUCZIDz73djIKAapxKEYzwxYTuwETvG1NlN8CY"}.
{"exp":1599625561,"nbf":1599621961,"ver":"1.0","iss":"https://mytenant.b2clogin.com/TenantId/v2.0/",
"sub":"cfa*","aud":"b59",
"acr":"b2c_1a_username_susi",
"nonce":"637352187617
",
"iat":1599621961,"auth_time":1599621961,
"signinname":"
",
"name":"
",
"given_name":"
",
"family_name":"
",
"c_hash":"hGW9
**"}'.

I have validated and all values are exactly same as showing in https://jwt.ms, except exp and nbf properties but kid is same.

Would it be possible for you to share Startup file details, I can cross check with mine where its going wrong? or maybe if you know any sample code which has published specifically for custom policy?

Thanks again for your help on this.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@VikasTiwari-2263 You can try configuring the policy files from scratch by downloading starter pack from here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip and use SocialandLocalAccounts template. All samples here are for both user flows and custom policies. There is no sample specifically for custom policies.


0 Votes 0 ·

Thanks @amanpreetsingh-msft I have created fresh policies as suggested using SocialandLocalAccounts template but still no luck. Though I had to modify the policy as our user are using system assigned username but I was getting same error.

What confusing me here is, app working correctly if I add a built-in user flow for signin/signup. It only throws error when switch to custom policy, looks like some difference at policy level which is causing issue. I will keep troubleshooting it more, its driving me crazy.

Thanks again for your help.

0 Votes 0 ·
cowlephant avatar image cowlephant VikasTiwari-2263 ·

Hi @VikasTiwari-2263 have you figured out a solution for this?

I am experiencing the exact same issue.

0 Votes 0 ·
Show more comments