[Bug] Access Token aquired with WAM cannot be validated

[gzor]

Library version used

4.66.2

.NET version

NET Framework 4.8

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

Access Token acquired fails to pass a jwt signature validation.
I used JsonWebTokenHandler to validate it in the api code, and jwt.io in my manual tests. Both methods can validate the id-token, but not the access-token.

Reproduction steps:

1. Authenticate with WAM Silently with your operating system account.
2. (Pass the Access Token to your API that needs to validate this Token)
3. Perform a standard jwt validation

Relevant code snippets

Aquiring Token:

 var app =
   PublicClientApplicationBuilder.Create(applicationId)
                                 .WithDefaultRedirectUri()
                                 .WithTenantId(tenantId)
                                 .WithParentActivityOrWindow(() => windowHandle)
                                 .WithBroker(options)
                                 .Build();

 AuthenticationResult result = null;

 try {
   var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
   var token = cts.Token;
   result = await app.AcquireTokenSilent(scopes, PublicClientApplication.OperatingSystemAccount)
                     .ExecuteAsync(token);
 }
 // Can't get a token silently, go interactive
 catch (MsalUiRequiredException ex) {
   result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
 }

Token Validation:

// Fetch the keys from the well-known OIDC document
var httpClient = new HttpClient();
var oidcConfig = await httpClient.GetStringAsync($"{issuer}/.well-known/openid-configuration");
var oidcConfigJson = JsonDocument.Parse(oidcConfig);
var jwksUri = oidcConfigJson.RootElement.GetProperty("jwks_uri").GetString();
var jwks = await httpClient.GetStringAsync(jwksUri);
var jsonWebKeySet = new JsonWebKeySet(jwks);
var keys = jsonWebKeySet.GetSigningKeys();

var validationParameters = new TokenValidationParameters
{
    ValidIssuers = issuers,
    ValidateIssuer = true,
    ValidateAudience = false,
    ValidateLifetime = true,
    ClockSkew = TimeSpan.Zero,
    IssuerSigningKeys = keys
};
IdentityModelEventSource.ShowPII = true; 
IdentityModelEventSource.LogCompleteSecurityArtifact = true;

var validationResult = await tokenHandler.ValidateTokenAsync(clientHelloAccessToken, validationParameters);

### Expected behavior

Access Token is cryptographically verifiable 

### Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

### Regression

_No response_

### Solution and workarounds

_No response_

[ashok672]

Can you please share the token which is failing the token validation? Can you also share the code for ValidateTokenAsync?