none
Web App Authentication issue - JWT validation failed: IDX10501: Signature validation failed. Unable to match keys. RRS feed

  • Question


  • Hello!

    Suddenly, my customer web app authentication start failing when trying to log in. I use built-in authentication in a web app. In azure, when web app panel is open navigate to: Authentication / Authorization

    My provider is Google and the issue started about 24 hours ago. Before that everything worked well a long time and I haven’t done any updates to my app in a few weeks.

    In a web app, which is API for mobile application, I use “client flow” when authenticating user. It is done in the following way:

    1. Mobile app uses Google SDK to require an access token.
    2. Then access token is sent to following endpoint: POST <mywebappurl>/.auth/login/google

    The problem is in azure endpoint that somehow not work as expected. Google SDK return their access_token. Web app logs shows the following error:

    2019-06-16T07:14:30,Verbose,Received request: POST https://releasev2-wanderingtailsapi.azurewebsites.net/.auth/login/google,

    2019-06-16T07:14:30,Verbose,Downloading OpenID configuration from https://accounts.google.com/.well-known/openid-configuration,

    2019-06-16T07:14:30,Verbose,Downloading OpenID issuer keys from https://www.googleapis.com/oauth2/v3/certs,

    2019-06-16T07:14:30,Warning,"JWT validation failed: IDX10501: Signature validation failed. Unable to match keys: 

    kid: '[PII is hidden]', 

    token: '[PII is hidden]'..",

    2019-06-16T07:14:30,Information,Sending response: 401.83 Unauthorized,

    .auth/login/google endpoint return following error message: 401 Unauthorized “You do not have permission to view this directory or page.”

    I have tried the following steps to resolve the issue:

    - Check my application code that nothing has changed.
    - Tried to disable and enable Authentication but didn’t help.
    - Tried to disable and enable Token store but didn’t help.
    - Tried to make new web app with authentication but it gives me the same error.
    - Same error is also occurred on development environment.
    - Tried to decode google access_token and see that the “kid” property matches one of the certificates that can be found from address https://www.googleapis.com/oauth2/v3/certs

    If I use the following URL directly in my browser, everything works: GET <mywebappurl>/.auth/login/google

    Any ideas on how to resolve the issue?


    • Edited by TuroNylund Sunday, June 16, 2019 1:35 PM
    Sunday, June 16, 2019 1:34 PM

Answers

  • Hi All,

    Thanks for your patience. A permanent solution has been deployed. Your logins should be working again after you do a site(s) restart. Please restart your site(s) to see the fix.

    Best Regards,

    -Grace

    • Marked as answer by TuroNylund Tuesday, June 25, 2019 5:32 AM
    Friday, June 21, 2019 6:11 PM
    Moderator

All replies

  • I'm having the same issue in the last 24 hours, and am having the same issue.
    Monday, June 17, 2019 9:31 AM
  • Been having the same issue but with Azure App Service. Its been intermittent for the last few days, but can't sign in at all today.

    Monday, June 17, 2019 2:41 PM
  • Hi TuroNylund, William and Youkahlon,

    Can you please email us  your site names, subscription IDs  and the URL of this thread to AzCommunity[at]Microsoft[dot]com so that we can investigate further? Thank you.

    Monday, June 17, 2019 6:11 PM
    Moderator
  • I'm also having the same issue and couldn't find any solution yet.

    I also sent an email per your request.

    Hope you can find a solution.

    Monday, June 17, 2019 7:12 PM
  • Hi.

    I send the information. If it helps, I send two web app sites that have the same problem. Haven't figured it out. My web sites run on Azure App Service (windows) and use .NET 4.7 environment.

    I tried to find configuration if I could see hidden "kid" and "token" in logs but not get it to work. I am not sure if there is any Flag how to see those values.

    Monday, June 17, 2019 7:21 PM
  • The thing here I think is that it was working fine until a couple of days ago (or so...) when this issue appeared without any change in the app / client side.
    Monday, June 17, 2019 7:52 PM
  • We are currently investigating the issue and will report back with more information.
    Monday, June 17, 2019 8:36 PM
  • Same issue.  Sent my information as requested by Grace MacJones
    Monday, June 17, 2019 9:27 PM
  • Just wanted to tell that I have same issue. I think it started June 13th.
    Tuesday, June 18, 2019 5:58 AM
  • Some notices that I have made:

    - If the application user was logged in before the issue raised, it seems to work. I mean that App Service authentication can refresh the Google access token.

    - If the application log out and the App Service's Zumo token is removed, the user is unable to log in again because this problem is raised.

    I remember a similar issue over two years ago but it only lasts one day and did not resolve it. Anyway, then it has similar error messages with those "kid" values. Then it seemed that just disabling/enabling Authentication on the Web App resolved the problem but didn't work on the current issue.

    Tuesday, June 18, 2019 8:11 AM
  • Hi!

    I'm experiencing Google Auth issues. I have an up-to-date Azure App Services back-end with a web front-end and Xamarin.Android / Xamarin.iOS apps.

    First, it was on back-end, the « GoogleCredentials.UserClaims » didn't have the « ClaimTypes.NameIdentifier » anymore (first time in years I've seen this) — which I based on GoogleCredentials.UserId to fix.

    Now I'm getting an issue from my apps; when I try to log-in using a valid JToken (built from the Google Signin data — has been working for years), my server answers 

    {"code":401,"message":"IDX10501: Signature validation failed. Unable to match keys: \u000akid: '[PII is hidden]', \u000atoken: '[PII is hidden]'."}
    Was there any updates recently ?! This whole auth flow has been working for years and is suddenly broken!
    Tuesday, June 18, 2019 2:40 PM
  • I'm sorry this appears to be a duplicate of 
    /Forums/en-US/48feecef-2d67-4d9b-8143-64d265868f25/web-app-authentication-issue-jwt-validation-failed-idx10501-signature-validation-failed-unable?forum=windowsazurewebsitespreview

    Tuesday, June 18, 2019 2:42 PM
  • I'm experiencing the same issue both in production and development! Do you also site names and subscriptions to investigate?
    • Edited by PaulRoy Tuesday, June 18, 2019 2:45 PM
    Tuesday, June 18, 2019 2:44 PM
  • Hi PaulRoy, Yes please email us your site names and subscriptions to AzCommunity[at]Microsoft[dot]com
    Tuesday, June 18, 2019 5:33 PM
    Moderator
  • I have sent one detailed error log in add AzCommunity[at]Microsoft[dot]com

    It contains an error log from Azure Web App and is the more detailed that I could get. Hope it helps to resolve the issue. In short, it includes the following information:

    Detailed Error Information:
    
    Module: 
    EasyAuthModule_32bitNotification
    
    BeginRequestHandler: 
    ExtensionlessUrlHandler-Integrated-4.0
    
    Error Code: 
    0x80004005
    In error message it uses 32bit module because I just tried to change between 32bit and 64bit mode if it could help. Same error is occurred in 64bit mode. Still didn't help. Also, I update my web application to use .NET 4.7.2 version without any success.


    Also, I find following post: https://stackoverflow.com/questions/31063048/azures-inbuild-website-authorization-throws-permission-error-after-returning-to

    I was wondering, could there be any problems in web.config files that can cause the issue?

    Is there anything that we could do for the problem? Now have passed over 72 hours since the issue raised.

    Tuesday, June 18, 2019 6:38 PM
  • Hi,

    I'm also facing this issue, is there anything I can do about it ?

    I'm having an azure web app that is used by a Xamarin mobile app, login with google stopped working yesterday with this error, nothing have changed on my side since two weeks.

    Wednesday, June 19, 2019 7:22 AM
  • Hi FabricBailly,

    It seems that Microsoft are working on this. If you need a hot fix while Microsoft work on a permanent solution, you can email Microsoft [see Grace MacJones's response above]

    Just note, you need to have a dedicated SKU for your website if you want the hot fix. I'm not there yet, so haven't tested the hot fix


    Wednesday, June 19, 2019 7:56 AM
  • Hi FabricBailly, please email us your site names and subscriptions to AzCommunity[at]Microsoft[dot]com
    Thursday, June 20, 2019 6:28 AM
    Moderator
  • Hi Taimila,  please email us your site names and subscriptions to AzCommunity[at]Microsoft[dot]com
    Thursday, June 20, 2019 6:29 AM
    Moderator
  • Hi All,

    Thanks for your patience. A permanent solution has been deployed. Your logins should be working again after you do a site(s) restart. Please restart your site(s) to see the fix.

    Best Regards,

    -Grace

    • Marked as answer by TuroNylund Tuesday, June 25, 2019 5:32 AM
    Friday, June 21, 2019 6:11 PM
    Moderator