Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IDX40001: Issuer: 'https://xxxxx.b2clogin.com/<TenantId>/v2.0/', does not match any of the valid issuers provided for this application #52283

Closed
1 task done
jaliyaudagedara opened this issue Nov 22, 2023 · 6 comments
Closed
1 task done

IDX40001: Issuer: 'https://xxxxx.b2clogin.com/<TenantId>/v2.0/', does not match any of the valid issuers provided for this application #52283

jaliyaudagedara opened this issue Nov 22, 2023 · 6 comments
Assignees
@halter73
Labels
area-identity Includes: Identity and providers

Comments

@jaliyaudagedara
Copy link

jaliyaudagedara commented Nov 22, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Please note: there are a couple of GitHub issues already created for this, but those are closed as Resolved.

I started seeing this issue after updating an API project to .NET 8. I am using the following Microsoft.Identity.Web package.

<PackageReference Include="Microsoft.Identity.Web" Version="2.15.5" />

This used to work without any issues with .NET 7 and Microsoft.Identity.Web: 2.13.3.

Expected Behavior

No response

Steps To Reproduce

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(Configuration, "AzureAdB2C");

Exceptions (if any)

Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX40001: Issuer: 'https://xxxxx.b2clogin.com/<TenantId>/v2.0/', does not match any of the valid issuers provided for this application.
   at Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Validators.AadIssuerValidator.Validate(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)

.NET Version

8.0.100

Anything else?

Related issues:
#51005
#50725
AzureAD/microsoft-identity-web#2481

Related PR:
#51430

I could get around by allowing all the issuers, but that's not good.

services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
    options.TokenValidationParameters.IssuerValidator = 
        (string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) => issuer;
});
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-identity Includes: Identity and providers label Nov 22, 2023
@halter73
Copy link
Member

Can you confirm that the csproj with <PackageReference Include="Microsoft.Identity.Web" Version="2.15.5" /> also contains <TargetFramework>net8.0</TargetFramework> and that you're pulling in Microsoft.IdentityModel.Validators 7.0.3? If not, you should try targeting net8.0 directly from the project with the PackageReference or add an explicit package reference to Microsoft.IdentityModel.Validators 7.0.3. If you're already pulling in Microsoft.IdentityModel.Validators 7.0.3, can you provide a complete repro project with everything but the credentials configured, so we can figure out why the fix isn't working for you?

I think there is something non-obvious going on considering this was a highly-reported issue in RC1 and RC2, but this appears to be the first report about this with final version of .NET 8 and Microsoft.Identity.Web 2.15.5. I can confirm that Microsoft.Identity.Web 2.15.5 packages on .NET 8 should fix this issue because it pulls in Microsoft.IdentityModel.Validators 7.0.3.

However, for some reason, the Microsoft.Identity.Web 2.1.5 NuGet package depends on the older 6.0.33 version of Microsoft.IdentityModel.Validators for projects targeting older .NET versions which I think is a mistake because it can lead to this kind of wonkiness when dependencies target multiple different framework versions. @jmprieur @jennyf19

I could get around by allowing all the issuers, but that's not good.

Agreed. Assuming retargeting to net8.0 and/or explicitly referencing Microsoft.IdentityModel.Validators 7.0.3 doesn't fix your issue, a better workaround in the meantime is likely to set JwtBearerOptions.UseSecurityTokenValidators = true which is the second option listed under "recommended action" in the breaking change announcement. That way you still get issuer validation.

@halter73 halter73 mentioned this issue Nov 23, 2023
Merged
@jaliyaudagedara
Copy link
Author

jaliyaudagedara commented Nov 23, 2023
edited
Loading

@halter73,

Thanks for the comment and I am sorry for the delay in replying.

Can you confirm that the csproj with also contains net8.0 and that you're pulling in Microsoft.IdentityModel.Validators 7.0.3

yes, I checked.

image

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
    <InvariantGlobalization>true</InvariantGlobalization>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Identity.Web" Version="2.15.5" />
  </ItemGroup>

</Project>
2023-11-23_21-32-54.mp4

And I tried setting JwtBearerOptions.UseSecurityTokenValidators = true.

builder.Services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
    options.UseSecurityTokenValidators = true;
});

Still, it's failing with the same error.
https://github.com/dotnet/aspnetcore/assets/5653381/4974b24e-96f4-45df-8768-8ba13503da6b

Please find the attached sample project with the configuration.
WebApplication2.zip

Error log (with .NET 8.0),

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/1.1 GET https://localhost:7183/hello - application/json -
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1001]
      1 candidate(s) found for the request path '/hello'
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[1]
      Request matched endpoint 'HTTP: GET /hello'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 7.0.3.0. Date 11/23/2023 08:21:55. PII logging is ON, do not use in production. See https://aka.ms/IdentityModel/PII for details.
      IDX20805: Obtaining information from metadata endpoint: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '{
        "issuer": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/",
        "authorization_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/authorize",
        "token_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/token",
        "end_session_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/logout",
        "jwks_uri": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys",
        "userinfo_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/openid/v2.0/userinfo",
        "response_modes_supported": [
          "query",
          "fragment",
          "form_post"
        ],
        "response_types_supported": [
          "code",
          "code id_token",
          "code token",
          "code id_token token",
          "id_token",
          "id_token token",
          "token",
          "token id_token"
        ],
        "scopes_supported": [
          "openid"
        ],
        "subject_types_supported": [
          "pairwise"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "client_secret_basic"
        ],
        "claims_supported": [
          "name",
          "given_name",
          "family_name",
          "email",
          "employeeId",
          "email",
          "sub",
          "idp",
          "tid",
          "iss",
          "iat",
          "exp",
          "aud",
          "acr",
          "nonce",
          "auth_time"
        ]
      }' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10806: Deserializing json: '{
        "keys": [
          {"kid":"AiH1xhuU4Oll1kXhPUKg_nN--iCZvxVC-fxnEhRkO6Y","use":"sig","kty":"RSA","e":"AQAB","n":"2a0LUz4EQuTCj7OpFlE2NTeo3kBXu69RgMa8M8d1wqkv3Fp_kaiPAr0zNe0UMbo5XbXiUbrmvf8vUtiHhklZjjUvZZWxNx0Vph_tS206VrIKwb4yj2EDlIjWJHLLq2IWlfjXgnxSOiV4PqzoV4Gul0WpLAoqkT4xfgk_MJgnlt26DMePA7CFRyrztgeqD4dMFMVC6FEgDPris-IkXvZiovwAPqtCneKty1HsfJNSNMG6XnrhsVtGDRVPT441kx5j0EmfPVOoa7jRxxGoCmp4YwPStSMKDNEzoVc5YX81iuE_ISv4Z0-pOMh6OZ8uAtGs9waYgOsFPQhp7wuxYCMhnQ"}
        ]
      }' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10242: Security token: '[Security Artifact of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: 'xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '{"token_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10806: Deserializing json: '{"keys":[{"kty":"RSA","use":"sig","kid":"9GmnyFPkhc3hOuR22mvSvgnLo7Y","x5t":"9GmnyFPkhc3hOuR22mvSvgnLo7Y","n":"z_w-5U4eZwenXYnEgt2rCN-753YQ7RN8ykiNprNiLl4ilpwAGLWF1cssoRflsSiBVZcCSwUzUwsifG7sbRq9Vc8RFs72Gg0AUwPsJFUqNttMg3Ot-wTqsZtE5GNSBUSqnI-iWoZfjw-uLsS0u4MfzP8Fpkd-rzRlifuIAYK8Ffi1bldkszeBzQbBZbXFwiw5uTf8vEAkH_IAdB732tQAsNXpWWYDV74nKAiwLlDS5FWVs2S2T-MPNAg28MLxYfRhW2bUpd693inxI8WTSLRncouzMImJF4XeMG2ZRZ0z_KJra_uzzMCLbILtpnLA95ysxWw-4ygm3MxN2iBM2IaJeQ","e":"AQAB","x5c":["MIIC/jCCAeagAwIBAgIJAOCJOVRxNKcNMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMjMwODI4MjAwMjQwWhcNMjgwODI4MjAwMjQwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/w+5U4eZwenXYnEgt2rCN+753YQ7RN8ykiNprNiLl4ilpwAGLWF1cssoRflsSiBVZcCSwUzUwsifG7sbRq9Vc8RFs72Gg0AUwPsJFUqNttMg3Ot+wTqsZtE5GNSBUSqnI+iWoZfjw+uLsS0u4MfzP8Fpkd+rzRlifuIAYK8Ffi1bldkszeBzQbBZbXFwiw5uTf8vEAkH/IAdB732tQAsNXpWWYDV74nKAiwLlDS5FWVs2S2T+MPNAg28MLxYfRhW2bUpd693inxI8WTSLRncouzMImJF4XeMG2ZRZ0z/KJra/uzzMCLbILtpnLA95ysxWw+4ygm3MxN2iBM2IaJeQIDAQABoyEwHzAdBgNVHQ4EFgQU/wzRzxsifMCz54SZ3HuF4P4jtzowDQYJKoZIhvcNAQELBQADggEBACaWlbJTObDai8+wmskHedKYb3FCfTwvH/sCRsygHIeDIi23CpoWeKt5FwXsSeqDMd0Hb6IMtYDG5rfGvhkNfunt3sutK0VpZZMNdSBmIXaUx4mBRRUsG4hpeWRrHRgTnxweDDVw4Mv+oYCmpY7eZ4SenISkSd/4qrXzFaI9NeZCY7Jg9vg1bev+NaUtD3C4As6GQ+mN8Rm2NG9vzgTDlKf4Wb5Exy7u9dMW1TChiy28ieVkETKdqwXcbhqM8GOLBUFicdmgP2y9aDGjb89BuaeoHJCGpWWCi3UZth14clVzC6p7ZD6fFx5tKMOL/hQvs3ugGtvFDWCsvcT8bB84RO8="],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"},{"kty":"RSA","use":"sig","kid":"T1St-dLTvyWRgxB_676u8krXS-I","x5t":"T1St-dLTvyWRgxB_676u8krXS-I","n":"s2TCRTB0HKEfLBPi3_8CxCbWirz7rlvzcXnp_0j3jrmb_hst0iiHifSBwE0FV1WW79Kyw0AATkLfSLLyllyCuzgoUOgmXd3YMaqB8mQOBIecFQDAHkM1syzi_VwVdJt8H1yI0hOGcOktujDPHidVFtOuoDqAWlCs7kCGwlazK4Sfu_pnfJI4RmU8AvqO0auGcxg24ICbpP01G0PgbvW8uhWSWSSTXmfdIh567JOHsgvFr0m1AUQv7wbeRxgyiHwn29h6g1bwSYJB4I6TMG-cDygvU9lNWFzeYhtqG4Z_cA3khWIMmTq3dVzCsi4iU309-c0FopWacTHouHyMRcpJFQ","e":"AQAB","x5c":["MIIC/TCCAeWgAwIBAgIIUd7j/OIahkYwDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDAeFw0yMzExMDExNjAzMjdaFw0yODExMDExNjAzMjdaMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzZMJFMHQcoR8sE+Lf/wLEJtaKvPuuW/Nxeen/SPeOuZv+Gy3SKIeJ9IHATQVXVZbv0rLDQABOQt9IsvKWXIK7OChQ6CZd3dgxqoHyZA4Eh5wVAMAeQzWzLOL9XBV0m3wfXIjSE4Zw6S26MM8eJ1UW066gOoBaUKzuQIbCVrMrhJ+7+md8kjhGZTwC+o7Rq4ZzGDbggJuk/TUbQ+Bu9by6FZJZJJNeZ90iHnrsk4eyC8WvSbUBRC/vBt5HGDKIfCfb2HqDVvBJgkHgjpMwb5wPKC9T2U1YXN5iG2obhn9wDeSFYgyZOrd1XMKyLiJTfT35zQWilZpxMei4fIxFykkVAgMBAAGjITAfMB0GA1UdDgQWBBRNcCE3HDX+HOJOu/bKfLYoSX3/0jANBgkqhkiG9w0BAQsFAAOCAQEAExns169MDr1dDNELYNK0JDjPUA6GR50jqfc+xa2KOljeXErOdihSvKgDS/vnDN6fjNNZuOMDyr6jjLvRsT0jVWzf/B6v92FrPRa/rv3urGXvW5am3BZyVPipirbiolMTuork95G7y7imftK7117uHcMq3D8f4fxscDiDXgjEEZqjkuzYDGLaVWGJqpv5xE4w+K4o2uDwmEIeIX+rI1MEVucS2vsvraOrjqjHwc3KrzuVRSsOU7YVHyUhku+7oOrB4tYrVbYYgwd6zXnkdouVPqOX9wTkc9iTmbDP+rfkhdadLxU+hmMyMuCJKgkZbWKFES7ce23jfTMbpqoHB4pgtQ=="],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"},{"kty":"RSA","use":"sig","kid":"lHLIu4moKqzPcokwlfCRPHyjl5g","x5t":"lHLIu4moKqzPcokwlfCRPHyjl5g","n":"xlc-u9LJvOdbwAsgsYZpaJrgmrGHaEkoa_3_7Jvu4-Hb8LNtszrQy5Ik4CXgQ_uiLPt4-ePprX3klFAx91ahfd5LwX6mEQPT8WuHMDunx8MaNQrYNVvnOI1L5NxFBFV_6ghi_0d-cOslErcTMML2lbMCSjQ8jwltxz1Oy-Hd9wdY2pz2YC3WR4tHzAGreWGeOB2Vs2NLGv0U3CGSCMqpM9vxbWLZQPuCNpKF93RkxHj5bLng9U_rM6YScacEnTFlKIOOrk4pcVVdoSNNIK2uNUs1hHS1mBXuQjfceghzj3QQYHfp1Z5qWXPRIw3PDyn_1Sowe5UljLurkpj_8m3KnQ","e":"AQAB","x5c":["MIIC6TCCAdGgAwIBAgIIT3fcexMa3ggwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMB4XDTIzMDcxNDAwNDU0NFoXDTI4MDcxNDAwNDU0NFowIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlc+u9LJvOdbwAsgsYZpaJrgmrGHaEkoa/3/7Jvu4+Hb8LNtszrQy5Ik4CXgQ/uiLPt4+ePprX3klFAx91ahfd5LwX6mEQPT8WuHMDunx8MaNQrYNVvnOI1L5NxFBFV/6ghi/0d+cOslErcTMML2lbMCSjQ8jwltxz1Oy+Hd9wdY2pz2YC3WR4tHzAGreWGeOB2Vs2NLGv0U3CGSCMqpM9vxbWLZQPuCNpKF93RkxHj5bLng9U/rM6YScacEnTFlKIOOrk4pcVVdoSNNIK2uNUs1hHS1mBXuQjfceghzj3QQYHfp1Z5qWXPRIw3PDyn/1Sowe5UljLurkpj/8m3KnQIDAQABoyEwHzAdBgNVHQ4EFgQUCSJrrznFYz1BLqd17S8HFjGrAOAwDQYJKoZIhvcNAQELBQADggEBAAQHNudtmYpeh9x5+rGDVy6OYpTnQ2D5+rmgOHM5yRvgEnFBNuZ6bnr3Ap9nb6EM08juYKPaVyhkV+5axMl+dT8KOuCgrfcKvXqzdQ3BgVFkyU9XfajHzq3JALYpNkixCs/BvqRhXx2ecYxFHB2D671cOwhYIaMZdGtbmOOk8puYSgJ9DBqqn3pLksHmxLP656l/U3hPATTCdfDaNcTagIPx+Q2d9RBn8zOIa/p4CLsu3E0aJfDw3ljPD8inLJ2mpKq06TBfd5Rr/auwipb4J8Y/PHhef8b2kOf42fikIKAP538k9lLsXSowyPWn7KZDTEsku7xpyqvKvEiFkmaV+RY="],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"}]}' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX40001: Issuer: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/', does not match any of the valid issuers provided for this application.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '{
        "issuer": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/",
        "authorization_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/authorize",
        "token_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/token",
        "end_session_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/logout",
        "jwks_uri": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys",
        "userinfo_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/openid/v2.0/userinfo",
        "response_modes_supported": [
          "query",
          "fragment",
          "form_post"
        ],
        "response_types_supported": [
          "code",
          "code id_token",
          "code token",
          "code id_token token",
          "id_token",
          "id_token token",
          "token",
          "token id_token"
        ],
        "scopes_supported": [
          "openid"
        ],
        "subject_types_supported": [
          "pairwise"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "client_secret_basic"
        ],
        "claims_supported": [
          "name",
          "given_name",
          "family_name",
          "email",
          "employeeId",
          "email",
          "sub",
          "idp",
          "tid",
          "iss",
          "iat",
          "exp",
          "aud",
          "acr",
          "nonce",
          "auth_time"
        ]
      }' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10806: Deserializing json: '{
        "keys": [
          {"kid":"AiH1xhuU4Oll1kXhPUKg_nN--iCZvxVC-fxnEhRkO6Y","use":"sig","kty":"RSA","e":"AQAB","n":"2a0LUz4EQuTCj7OpFlE2NTeo3kBXu69RgMa8M8d1wqkv3Fp_kaiPAr0zNe0UMbo5XbXiUbrmvf8vUtiHhklZjjUvZZWxNx0Vph_tS206VrIKwb4yj2EDlIjWJHLLq2IWlfjXgnxSOiV4PqzoV4Gul0WpLAoqkT4xfgk_MJgnlt26DMePA7CFRyrztgeqD4dMFMVC6FEgDPris-IkXvZiovwAPqtCneKty1HsfJNSNMG6XnrhsVtGDRVPT441kx5j0EmfPVOoa7jRxxGoCmp4YwPStSMKDNEzoVc5YX81iuE_ISv4Z0-pOMh6OZ8uAtGs9waYgOsFPQhp7wuxYCMhnQ"}
        ]
      }' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10242: Security token: '[Security Artifact of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: 'xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '{"token_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: 'https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10806: Deserializing json: '{"keys":[{"kty":"RSA","use":"sig","kid":"9GmnyFPkhc3hOuR22mvSvgnLo7Y","x5t":"9GmnyFPkhc3hOuR22mvSvgnLo7Y","n":"z_w-5U4eZwenXYnEgt2rCN-753YQ7RN8ykiNprNiLl4ilpwAGLWF1cssoRflsSiBVZcCSwUzUwsifG7sbRq9Vc8RFs72Gg0AUwPsJFUqNttMg3Ot-wTqsZtE5GNSBUSqnI-iWoZfjw-uLsS0u4MfzP8Fpkd-rzRlifuIAYK8Ffi1bldkszeBzQbBZbXFwiw5uTf8vEAkH_IAdB732tQAsNXpWWYDV74nKAiwLlDS5FWVs2S2T-MPNAg28MLxYfRhW2bUpd693inxI8WTSLRncouzMImJF4XeMG2ZRZ0z_KJra_uzzMCLbILtpnLA95ysxWw-4ygm3MxN2iBM2IaJeQ","e":"AQAB","x5c":["MIIC/jCCAeagAwIBAgIJAOCJOVRxNKcNMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMjMwODI4MjAwMjQwWhcNMjgwODI4MjAwMjQwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/w+5U4eZwenXYnEgt2rCN+753YQ7RN8ykiNprNiLl4ilpwAGLWF1cssoRflsSiBVZcCSwUzUwsifG7sbRq9Vc8RFs72Gg0AUwPsJFUqNttMg3Ot+wTqsZtE5GNSBUSqnI+iWoZfjw+uLsS0u4MfzP8Fpkd+rzRlifuIAYK8Ffi1bldkszeBzQbBZbXFwiw5uTf8vEAkH/IAdB732tQAsNXpWWYDV74nKAiwLlDS5FWVs2S2T+MPNAg28MLxYfRhW2bUpd693inxI8WTSLRncouzMImJF4XeMG2ZRZ0z/KJra/uzzMCLbILtpnLA95ysxWw+4ygm3MxN2iBM2IaJeQIDAQABoyEwHzAdBgNVHQ4EFgQU/wzRzxsifMCz54SZ3HuF4P4jtzowDQYJKoZIhvcNAQELBQADggEBACaWlbJTObDai8+wmskHedKYb3FCfTwvH/sCRsygHIeDIi23CpoWeKt5FwXsSeqDMd0Hb6IMtYDG5rfGvhkNfunt3sutK0VpZZMNdSBmIXaUx4mBRRUsG4hpeWRrHRgTnxweDDVw4Mv+oYCmpY7eZ4SenISkSd/4qrXzFaI9NeZCY7Jg9vg1bev+NaUtD3C4As6GQ+mN8Rm2NG9vzgTDlKf4Wb5Exy7u9dMW1TChiy28ieVkETKdqwXcbhqM8GOLBUFicdmgP2y9aDGjb89BuaeoHJCGpWWCi3UZth14clVzC6p7ZD6fFx5tKMOL/hQvs3ugGtvFDWCsvcT8bB84RO8="],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"},{"kty":"RSA","use":"sig","kid":"T1St-dLTvyWRgxB_676u8krXS-I","x5t":"T1St-dLTvyWRgxB_676u8krXS-I","n":"s2TCRTB0HKEfLBPi3_8CxCbWirz7rlvzcXnp_0j3jrmb_hst0iiHifSBwE0FV1WW79Kyw0AATkLfSLLyllyCuzgoUOgmXd3YMaqB8mQOBIecFQDAHkM1syzi_VwVdJt8H1yI0hOGcOktujDPHidVFtOuoDqAWlCs7kCGwlazK4Sfu_pnfJI4RmU8AvqO0auGcxg24ICbpP01G0PgbvW8uhWSWSSTXmfdIh567JOHsgvFr0m1AUQv7wbeRxgyiHwn29h6g1bwSYJB4I6TMG-cDygvU9lNWFzeYhtqG4Z_cA3khWIMmTq3dVzCsi4iU309-c0FopWacTHouHyMRcpJFQ","e":"AQAB","x5c":["MIIC/TCCAeWgAwIBAgIIUd7j/OIahkYwDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDAeFw0yMzExMDExNjAzMjdaFw0yODExMDExNjAzMjdaMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzZMJFMHQcoR8sE+Lf/wLEJtaKvPuuW/Nxeen/SPeOuZv+Gy3SKIeJ9IHATQVXVZbv0rLDQABOQt9IsvKWXIK7OChQ6CZd3dgxqoHyZA4Eh5wVAMAeQzWzLOL9XBV0m3wfXIjSE4Zw6S26MM8eJ1UW066gOoBaUKzuQIbCVrMrhJ+7+md8kjhGZTwC+o7Rq4ZzGDbggJuk/TUbQ+Bu9by6FZJZJJNeZ90iHnrsk4eyC8WvSbUBRC/vBt5HGDKIfCfb2HqDVvBJgkHgjpMwb5wPKC9T2U1YXN5iG2obhn9wDeSFYgyZOrd1XMKyLiJTfT35zQWilZpxMei4fIxFykkVAgMBAAGjITAfMB0GA1UdDgQWBBRNcCE3HDX+HOJOu/bKfLYoSX3/0jANBgkqhkiG9w0BAQsFAAOCAQEAExns169MDr1dDNELYNK0JDjPUA6GR50jqfc+xa2KOljeXErOdihSvKgDS/vnDN6fjNNZuOMDyr6jjLvRsT0jVWzf/B6v92FrPRa/rv3urGXvW5am3BZyVPipirbiolMTuork95G7y7imftK7117uHcMq3D8f4fxscDiDXgjEEZqjkuzYDGLaVWGJqpv5xE4w+K4o2uDwmEIeIX+rI1MEVucS2vsvraOrjqjHwc3KrzuVRSsOU7YVHyUhku+7oOrB4tYrVbYYgwd6zXnkdouVPqOX9wTkc9iTmbDP+rfkhdadLxU+hmMyMuCJKgkZbWKFES7ce23jfTMbpqoHB4pgtQ=="],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"},{"kty":"RSA","use":"sig","kid":"lHLIu4moKqzPcokwlfCRPHyjl5g","x5t":"lHLIu4moKqzPcokwlfCRPHyjl5g","n":"xlc-u9LJvOdbwAsgsYZpaJrgmrGHaEkoa_3_7Jvu4-Hb8LNtszrQy5Ik4CXgQ_uiLPt4-ePprX3klFAx91ahfd5LwX6mEQPT8WuHMDunx8MaNQrYNVvnOI1L5NxFBFV_6ghi_0d-cOslErcTMML2lbMCSjQ8jwltxz1Oy-Hd9wdY2pz2YC3WR4tHzAGreWGeOB2Vs2NLGv0U3CGSCMqpM9vxbWLZQPuCNpKF93RkxHj5bLng9U_rM6YScacEnTFlKIOOrk4pcVVdoSNNIK2uNUs1hHS1mBXuQjfceghzj3QQYHfp1Z5qWXPRIw3PDyn_1Sowe5UljLurkpj_8m3KnQ","e":"AQAB","x5c":["MIIC6TCCAdGgAwIBAgIIT3fcexMa3ggwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMB4XDTIzMDcxNDAwNDU0NFoXDTI4MDcxNDAwNDU0NFowIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlc+u9LJvOdbwAsgsYZpaJrgmrGHaEkoa/3/7Jvu4+Hb8LNtszrQy5Ik4CXgQ/uiLPt4+ePprX3klFAx91ahfd5LwX6mEQPT8WuHMDunx8MaNQrYNVvnOI1L5NxFBFV/6ghi/0d+cOslErcTMML2lbMCSjQ8jwltxz1Oy+Hd9wdY2pz2YC3WR4tHzAGreWGeOB2Vs2NLGv0U3CGSCMqpM9vxbWLZQPuCNpKF93RkxHj5bLng9U/rM6YScacEnTFlKIOOrk4pcVVdoSNNIK2uNUs1hHS1mBXuQjfceghzj3QQYHfp1Z5qWXPRIw3PDyn/1Sowe5UljLurkpj/8m3KnQIDAQABoyEwHzAdBgNVHQ4EFgQUCSJrrznFYz1BLqd17S8HFjGrAOAwDQYJKoZIhvcNAQELBQADggEBAAQHNudtmYpeh9x5+rGDVy6OYpTnQ2D5+rmgOHM5yRvgEnFBNuZ6bnr3Ap9nb6EM08juYKPaVyhkV+5axMl+dT8KOuCgrfcKvXqzdQ3BgVFkyU9XfajHzq3JALYpNkixCs/BvqRhXx2ecYxFHB2D671cOwhYIaMZdGtbmOOk8puYSgJ9DBqqn3pLksHmxLP656l/U3hPATTCdfDaNcTagIPx+Q2d9RBn8zOIa/p4CLsu3E0aJfDw3ljPD8inLJ2mpKq06TBfd5Rr/auwipb4J8Y/PHhef8b2kOf42fikIKAP538k9lLsXSowyPWn7KZDTEsku7xpyqvKvEiFkmaV+RY="],"issuer":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0"}]}' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
fail: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX40001: Issuer: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/', does not match any of the valid issuers provided for this application.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
      Failed to validate the token.
      Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX40001: Issuer: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/', does not match any of the valid issuers provided for this application.
         at Microsoft.IdentityModel.Validators.AadIssuerValidator.ValidateAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at Microsoft.IdentityModel.Validators.AadIssuerValidator.Validate(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
         at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
      Bearer was not authenticated. Failure message: IDX40001: Issuer: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/', does not match any of the valid issuers provided for this application.
dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0]
      Policy authentication schemes  did not succeed
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
      AuthenticationScheme: Bearer was challenged.
dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[9]
      Connection id "0HMVBVKU9C4EF" completed keep alive response.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/1.1 GET https://localhost:7183/hello - 401 0 - 6471.6569ms

Working log (with .NET 7.0),

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/1.1 GET https://localhost:7183/hello application/json -
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1001]
      1 candidate(s) found for the request path '/hello'
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[1]
      Request matched endpoint 'HTTP: GET /hello'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 6.33.0.0. Date 11/23/2023 08:48:06. PII logging is ON, do not use in production. See https://aka.ms/IdentityModel/PII for details.
      IDX20805: Obtaining information from metadata endpoint: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21811: Deserializing the string: '{
        "issuer": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/v2.0/",
        "authorization_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/authorize",
        "token_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/token",
        "end_session_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/oauth2/v2.0/logout",
        "jwks_uri": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys",
        "userinfo_endpoint": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/openid/v2.0/userinfo",
        "response_modes_supported": [
          "query",
          "fragment",
          "form_post"
        ],
        "response_types_supported": [
          "code",
          "code id_token",
          "code token",
          "code id_token token",
          "id_token",
          "id_token token",
          "token",
          "token id_token"
        ],
        "scopes_supported": [
          "openid"
        ],
        "subject_types_supported": [
          "pairwise"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "client_secret_basic"
        ],
        "claims_supported": [
          "name",
          "given_name",
          "family_name",
          "email",
          "employeeId",
          "email",
          "sub",
          "idp",
          "tid",
          "iss",
          "iat",
          "exp",
          "aud",
          "acr",
          "nonce",
          "auth_time"
        ]
      }' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21812: Retrieving json web keys from: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX20805: Obtaining information from metadata endpoint: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX21813: Deserializing json web keys: 'https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/b2c_1a_ad_signup_signin/discovery/v2.0/keys'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10242: Security token: '[Security Artifact of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: 'xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10255: TypeValidator property on ValidationParameters is null and ValidTypes is either null or empty. Exiting without validating the token type.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10245: Creating claims identity from the validated token: '[Security Artifact of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10241: Security token validated. token: '[Security Artifact of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]'.
dbug: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
      Successfully validated the token.
dbug: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[8]
      AuthenticationScheme: Bearer was successfully authenticated.
dbug: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[1]
      Authorization was successful.
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
      Executing endpoint 'HTTP: GET /hello'
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
      Executed endpoint 'HTTP: GET /hello'
dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[9]
      Connection id "0HMVC03G83A93" completed keep alive response.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/1.1 GET https://localhost:7183/hello application/json - - 200 - text/plain;+charset=utf-8 1941.7690ms

I am seeing this (which is to be expected: Security token events return a JsonWebToken),

.NET 8.0

Microsoft.IdentityModel.JsonWebTokens.JsonWebToken

.NET 7.0

System.IdentityModel.Tokens.Jwt.JwtSecurityToken

And .NET 7.0 uses Microsoft.IdentityModel Version: 6.33.0.0 and .NET 8 uses Microsoft.IdentityModel Version: 7.0.3.0

@halter73
Copy link
Member

It appears to be hitting https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration when it ought to only be hitting https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration. This could be a bug in https://github.com/AzureAD/microsoft-identity-web/, but I suspect that the issue is it changed how it handled conflicting configuration.

Can you provide the keys and sanitized values for all your IConfiguration? If you're manually specifying something like ValidIssuers, that shouldn't be necessary if you've properly configured the Authority to point to https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/.

@jaliyaudagedara
Copy link
Author

jaliyaudagedara commented Nov 23, 2023
edited
Loading

This is the configuration.

"AzureAdB2C": {
    "Authority": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/v2.0",
    "ClientId": "xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy",
    "Domain": "some-tenant.onmicrosoft.com",
    "Instance": "https://some-tenant.b2clogin.com",
    "MetadataAddress": "https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration",
    "Scope": "https://some-tenant.onmicrosoft.com/xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy/access_as_user",
    "SignedOutCallbackPath": "/signout/B2C_1A_AD_SIGNUP_SIGNIN",
    "SignUpSignInPolicyId": "B2C_1A_AD_SIGNUP_SIGNIN",
    "Tenant": "some-tenant.onmicrosoft.com",
    "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
  }

This configuration is kind of a mess. It's an old project some devs have maintained, I don't think we need all these properties set.

Believe only these should be enough.

"AzureAdB2C": {
    "Authority": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/v2.0",
    "ClientId": "xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy",
    "Scope": "https://some-tenant.onmicrosoft.com/xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy/access_as_user",
    "SignedOutCallbackPath": "/signout/B2C_1A_AD_SIGNUP_SIGNIN",
    "SignUpSignInPolicyId": "B2C_1A_AD_SIGNUP_SIGNIN"
  }

or https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-web-api?tabs=csharpclient

 "AzureAdB2C": {
    "Instance": "https://some-tenant.b2clogin.com",
    "Domain": "some-tenant.onmicrosoft.com",
    "ClientId": "xxxxyyyy-xxxx-xxxx-xxxx-xxxxxxxxyyyyy",
    "SignedOutCallbackPath": "/signout/B2C_1A_AD_SIGNUP_SIGNIN",
    "SignUpSignInPolicyId": "B2C_1A_AD_SIGNUP_SIGNIN"
  }

When I changed the Authority to https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/, it worked.

But I would think there is still a bug somewhere or some breaking change where Configuration is being handled.

@halter73
Copy link
Member

When I changed the Authority to https://some-tenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/B2C_1A_AD_SIGNUP_SIGNIN/v2.0/, it worked.

I'm glad this worked for you. I'm surprised the original configuration worked in .NET 7 with the "MetadataAddress" and "Authority" pointing to different places, but there were some breaking changes we announced when tASP.NET Core authentication handlers switched changed from JwtSecurityToken to JsonWebToken to validated JWTs, so it's not shocking that some behaviors changed in these kind of edge cases. Those wouldn't be as heavily tested as the mainline scenarios. I suspect previously the misconfigured "Authority" was being ignored, and now it is being used for something.

https://learn.microsoft.com/en-us/dotnet/core/compatibility/aspnet-core/8.0/securitytoken-events

I'm all for improving errors when we get misconfiguration, but it can be difficult to detect. That said, we're open to contributions if there's a simple 100% reliable way to catch misconfiguration early and log them or throw.

@jaliyaudagedara
Copy link
Author

jaliyaudagedara commented Dec 1, 2023
edited
Loading

yeah, after looking at the config with .NET 7, technically it should have thrown an error in startup.

I'm all for improving errors when we get misconfiguration, but it can be difficult to detect. That said, we're open to contributions if there's a simple 100% reliable way to catch misconfiguration early and log them or throw.

Will have a look!

Thanks @halter73 for your help!

@ghost ghost locked as resolved and limited conversation to collaborators Feb 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@halter73 halter73

Labels
area-identity Includes: Identity and providers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@halter73 @jaliyaudagedara