VueJS + Api Core .net - Signature validation failed. Unable to match ‘kid'


I am tring to set up openid authentification with jwt Token between a VueJs Front and API in .net core.
But i’m having a error in the .net core api “signature validation failed. Unable to match ‘kid’”.

Which token do i send to .net core ? id_token or access_token ?
What am i doing wrong ?

Sample code

//Url in vueJs
const authUrl = https://${okta.urlOrga}/oauth2/v1/authorize?client_id=${okta.clientId} &response_type=id_token &nonce=1234567 &scope=openid email groups &state=test &redirect_uri=${window.location.href}

//Code in .net Core

services.AddAuthentication(sharedOptions =>
sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
.AddJwtBearer(options =>
options.Authority = “https://{okta.urlOrga}/oauth2/default”;
options.Audience = “api://default”;

IDX10501: Signature validation failed. Unable to match ‘kid’: …

Try using https://${okta.urlOrga}/oauth2/default/v1/authorize instead of the value you’re currently using.

I have a 404 from okta because it trying to go to

Hmmm, it sounds like you don’t have a default Authorization server setup. Can you please email and ask them to configure this for your organization?

I have a default authorization server and a custom

If you have a default authorization server, it’s strange that you’re getting a 404. I’m not sure what could be causing this issue, unless you’re somehow getting the authorization endpoint wrong. You should be able to get the endpoint URLs from your org’s .well-known/oauth-authorization-server. For example:

No more 404, clear cookie & co , but i still have a invalid token.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match ‘kid’:

I test with id_token or access token…

If I use a custom authorization server in front, should i change the authority and audience in the back ?

.AddJwtBearer(options =>
options.Authority = “”;
options.Audience = “api://default”;

Hi @Loic, they need to match.

You are running into a similar problem as: Error: The signature key was not found

This is usually because the backend integration is checking an authorization server that doesn’t have the public key (identified by a kid) that the access token is reporting in the header of the JWT. I have some additional troubleshooting steps in the other post.

Let me know if that get’s this resolved for you, thanks!

Thx Tom, it’s working !

I did not understand that the audience in .net core need to be the client ID of the application use in url in auth.js

I need to add groups in the token, so i add a custom claims in the aurtorisation server, good choice ?

Can i use a custom authorisation server for a application ? how to change the issuer ?

I solved my probem.

I’m using the default authorisation server with a custom claims only show in the custom scopes to not disturb other applications for my specific need.


Glad you got it fixed! Definitely use the default authorization server (/oauth/default) as this is the authorization server for custom applications.