Identityserver4: SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key: kid

Created on 5 Jul 2020 · 5Comments · Source: IdentityServer/IdentityServer4

Question

I have a 3 tier application, ie:

blazor web app
API server
Identity server 4

On my local machine, everything looks fine... but when I install it on a remote server (into a docker container), I got the following issue.

First, I create an account, then sign in... then I wait for some time and when I come back to my server, it failed on the blazor web app side with the following message:

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key: kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

If I delete the cookies, then I can log again... but after some time I got the same problem again and again !

So, my cookie looks good but when the blazor app try to contact the API server, I got an "unauthorized" error !
Looks like the identity-server (which is the authority of the API server) cannot validate anymore !

Details

Noticed that I use:

docker
abp.io that is pre-setup with identityserver 4

I also have a post of StackOverflow about this, but for now nobody seems tho help :-(
There you can even find some code ;-)

https://stackoverflow.com/questions/62732883/identityserve-4-in-production-env-idx10501-signature-validation-failed-unab

If someone has an idea, welcome please... it drives me crazy :-P ;-)

Thanks

question wontfix

Source

vd3d

👍2

All 5 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

stale[bot] on 20 Jul 2020

I'm having the same issue! No solution so far... Any guidance on how to proceed?

cribeiro84 on 13 Aug 2020

I'm having the same issue! No solution so far... Any guidance on how to proceed?

Did you find a solution?

AshishMantosh on 12 Sep 2020

👍1

Hi @AshishMantosh
Yes, I've recently found the solution after I open a Ticket in Azure because of it. The solution provided by Microsoft is as follows:

Microsoft

It appears you are using Claims-Mapping and have a custom signing key. The Metadata link for this requires the addition of an APPID query string:

https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration?appid={APPLICATION_ID}

This key is found at the following location:

https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys?appid={APPLICATION_ID}

I hope this helps.

Thanks a lot.

cribeiro84 on 12 Sep 2020

👍1

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] on 26 Nov 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Full Tutorial for asp.net core 2.0 with IdentityServer4

createroftheearth · 3Comments

Authorize attribute failure redirects to logout in API rather than returns 401

cixonline · 3Comments

Allow public clients without a client secret

leastprivilege · 3Comments

Hybrid flow with PKCE Questions

agilenut · 3Comments

Self-signed certificate

krgm03 · 3Comments