IDX10503: Signature validation failed. Token does not have a kid on mobile browser only

[jcain]

Hello Duende support. We're an enterprise customer and we have a client that consistently get the error "IDX10503: Signature validation failed. Token does not have a kid." when attempting to federate with Microsoft Entra ID on a mobile device. They can login using a desktop browser, but using a mobile device, both iOS and Android generates this error. We're using the system browser and not a web view. Also, we have many other clients that can federate with Entra ID on a mobile device just fine. Do you have any experience with this and maybe help point us in the right direction? The full error is below.

Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
An unhandled exception has occurred while executing the request.
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '12'.
Number of keys in Configuration: '10'.
'[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. See https://aka.ms/IDX10503 for details.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in //identity-server/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 39
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in //identity-server/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 44
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/identity-server/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. Token does not have a kid. Keys tried: '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Number of keys in TokenValidationParameters: '12'.
Number of keys in Configuration: '10'.

[RolandGuijt]

Just to rule this out before we investigate further: can you please check if the versions of your Microsoft.IdentityModel.* packages are correct and in sync?

[jcain]

This is what I have. I'll try updating it to the versions recommended in the link.

  > Microsoft.IdentityModel.Abstractions                            7.1.2
   > Microsoft.IdentityModel.JsonWebTokens                           7.1.2
   > Microsoft.IdentityModel.Logging                                 7.1.2
   > Microsoft.IdentityModel.Protocols                               7.1.2
   > Microsoft.IdentityModel.Protocols.OpenIdConnect                 7.1.2
   > Microsoft.IdentityModel.Tokens                                  7.1.2
   > System.IdentityModel.Tokens.Jwt                                 7.1.2

[RolandGuijt]

In the meantime, can you please provide us with more details:

• When mentioning "client" in the first paragraph, I assume you're talking about a customer.
• Is the customer with the problem using a mobile app exclusively for them or is the same app also used by other customers where things do work?
• What tech is the mobile app using? Is it .NET Maui or something else?
• What OIDC/OAuth library is used?
• Please post the code that configures OIDC/OAuth on the client and the client configuration in IdentityServer.
• Since the token validation parameters and the number of keys in the configuration differ, are there any customizations on the IdentityServer side that could be related to this?

[RolandGuijt]

The SecurityTokenSignatureKeyNotFoundException error occurs when the JWT token's kid doesn't match any available signing keys in your validation configuration.
The next thing to check would be if the kid (key id) in the token matches a key in the discovery document. Can you please use jwt.ms or equivalent to check the kid in the header of the token and see if it exists on the discovery endpoint /.well-known/openid-configuration?

The challenge here however is to find out why this only occurs with one customer. Does the app run on an OS that is different from the others or are there any other differences or customizations for that particular customer on the client or the IdentityServer side?

[jcain]

This is the token we're getting back from MS Entra ID and its headers:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "CDZENmWVHAmtG4SyJ4DWRTumrJM"
}

[jcain]

Also, this customer is using Entra ID in the UK South and UK West. I checked the following metadata endpoints and the key does not exist in any endpoint.

https://login.microsoftonline.com/common/discovery/keys
https://login.microsoftonline.com/b33be5d6-5072-448f-bad3-d8b66cf09736/discovery/keys
https://login.microsoftonline.com/b33be5d6-5072-448f-bad3-d8b66cf09736/discovery/v2.0/keys

[jcain]

I feel like this is a Microsoft problem. I’m thinking we ask our customer to open a ticket with Microsoft to explain this strange behavior.

Have you seen anything like this before?

[RolandGuijt]

No I haven't. Something must be off in the tenant somehow but this falls outside the scope of this medium. Opening a ticket at Microsoft seems the way forward indeed.