locked
IDX10503 err JWT token error RRS feed

  • Question

  • I'm using MSAL.js from a React front-end and try to access a .net core 2.0 web api on a different URL. The token is added to the authentication header in the request and both URL's are registered in the Application Registration Portal with their URL as Redirect URL. The token seems to reach the .net core endpoint, but I'm getting the error

    IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey ...

    in the OnAuthenticationFailed event.

    I have tried different settings in the AddJwtBearer -> TokenValidationParameters.

    Where can I find a good description on how to set this up?

    Monday, December 11, 2017 9:43 AM

Answers

All replies

  • You may refer to the links below and see if it helps.
    https://github.com/microsoftgraph/aspnetcore-connect-sample

    https://docs.microsoft.com/en-us/azure/active-directory/develop/guidedsetups/active-directory-javascriptspa

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Monday, December 11, 2017 12:39 PM
  • Thanks for the links. I had used the second link to build up the client side, so I tried the first example now to see if that helps. As far as I can see it uses the AppOpenIdConnect with cookie support. What I wanted to use is the AddJwtBearer option since client and api are running on two different URL's and using a cookie wouldn't work.

    What I want to achieve is getting a token in a Javascript client with the help of MSAL.js. The front consists only of HTML, Javascript and CSS and has no "back-end". The token should be used in the communication with an ASP.Net core 2.0 API running on a different URL. That API might use the token in the communication with other underlying APIs. So something like this:

    gets token     +----------+ <-------------------+
           +---------> | Azure AD |                     |
           |           +----------+ <---+   token       |
           |                            |   validation  |
           |                            |               |
       +--------+            +-------------+         +----------+
       | Front  +----------->+  Front API  +-------->+  WebAPI  |
       +--------+   uses     +-------------+  uses   +----------+
                    token                     token
    
    (formatting isn't working => you might want to copy and paste into text editor)

    So I didn't get the first example to work in my context. Maybe I'm doing it wrong and should use another approach for in this context? In that case, where should I look for more information/examples?




    • Edited by AlexanderEsser Monday, December 11, 2017 3:54 PM formatting
    Monday, December 11, 2017 3:41 PM
  • Unfortunately what you are doing is currently not supported for the v2 endpoint. This document - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis shows the current limitations of the V2 endpoint – but basically because you are trying to call 3rd party APIs from a service, this feature is not yet available in the v2 endpoint.

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Monday, December 18, 2017 10:49 AM
  • Thanks for the input. What would be the recommended architecture for this scenario?
    Monday, December 18, 2017 11:11 AM
  • Hope this helps - https://github.com/AzureAD/passport-azure-ad/issues/349

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Wednesday, January 3, 2018 5:26 AM