VueJS + Api Core .net - Signature validation failed. Unable to match ‘kid'

Hi,

I am tring to set up openid authentification with jwt Token between a VueJs Front and API in .net core.
But i’m having a error in the .net core api “signature validation failed. Unable to match ‘kid’”.

Which token do i send to .net core ? id_token or access_token ?
What am i doing wrong ?

Sample code

//Url in vueJs
const authUrl = https://${okta.urlOrga}/oauth2/v1/authorize?client_id=${okta.clientId} &response_type=id_token &nonce=1234567 &scope=openid email groups &state=test &redirect_uri=${window.location.href}

//Code in .net Core

services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = “https://{okta.urlOrga}/oauth2/default”;
options.Audience = “api://default”;
});

//ERROR
IDX10501: Signature validation failed. Unable to match ‘kid’: …

Try using https://${okta.urlOrga}/oauth2/default/v1/authorize instead of the value you’re currently using.

I have a 404 from okta because it trying to go to
https://XXXX.oktapreview.com/default/oauth2/v1/authorize?client_id=XXXXXXX&response_type=id_token&nonce=1234567&scope=openid%20email%20groups&state=test&redirect_uri=XXXXXXX

Hmmm, it sounds like you don’t have a default Authorization server setup. Can you please email developers@okta.com and ask them to configure this for your organization?

I have a default authorization server and a custom

If you have a default authorization server, it’s strange that you’re getting a 404. I’m not sure what could be causing this issue, unless you’re somehow getting the authorization endpoint wrong. You should be able to get the endpoint URLs from your org’s .well-known/oauth-authorization-server. For example: https://dev-158606.oktapreview.com/oauth2/default/.well-known/oauth-authorization-server

No more 404, clear cookie & co , but i still have a invalid token.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match ‘kid’:

I test with id_token or access token…

If I use a custom authorization server in front, should i change the authority and audience in the back ?

.AddJwtBearer(options =>
{
options.Authority = “https://XXXX.oktapreview.com/oauth2/default”;
options.Audience = “api://default”;
});

Hi @Loic, they need to match.

You are running into a similar problem as: Error: The signature key was not found

This is usually because the backend integration is checking an authorization server that doesn’t have the public key (identified by a kid) that the access token is reporting in the header of the JWT. I have some additional troubleshooting steps in the other post.

Let me know if that get’s this resolved for you, thanks!
Tom

Thx Tom, it’s working !

I did not understand that the audience in .net core need to be the client ID of the application use in url in auth.js

I need to add groups in the token, so i add a custom claims in the aurtorisation server, good choice ?

Can i use a custom authorisation server for a application ? how to change the issuer ?

I solved my probem.

I’m using the default authorisation server with a custom claims only show in the custom scopes to not disturb other applications for my specific need.

2 Likes

Glad you got it fixed! Definitely use the default authorization server (/oauth/default) as this is the authorization server for custom applications.