Getting Error Code AADB2C90233 when attempting token validation (Invite Template) about samples HOT 16 CLOSED

@stephenstroud your end result should look something like this:
https://{yourb2c}.b2clogin.com/{your GUID as mentioned in my previous comment }/v2.0/

from samples.

Yeah I'd say that's the least that could be done. I would expect many devs would skip the web app part of the sample as you'd know how to create a JWT. So it's worth calling it out explicitly.

from samples.

You may close this. I was not setting up my issuer correctly.

from samples.

Thanks

from samples.

@adamasmar I've run into this problem, how did you configure your issuer to resolve this? thanks

from samples.

@stephenstroud I don't recall what value I was using for the issuer. But the correct issuer (at least in my project) is the Directory (tenant) ID within the App Registration within the B2C directory.

If I had to wager a guess, I imagine I was using the Application ID of the application within Azure/B2C/Applications, rather than the correct Directory (tenant) ID value residing in Azure/App Registrations.

Hope that's helpful.

from samples.

@adamasmar to confirm issuer - I'm looking at this line?

The tenant ID is just a Guid and not a Url

from samples.

I'm still having this same issue even when I change the issuer to be "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/"

from samples.

The issuer should be the same as the iss claim in the id_token_hint you are generating. Since you are generating the id_token_hint, you are the issuer, and therefore there should be no reference to B2C in the issuer string.

Whatever you put here:
string issuer = $"{this.Request.Scheme}://{this.Request.Host}{this.Request.PathBase.Value}/";

Is what the issuer metadata item should be set to in the id token hint technical profile.

from samples.

I'm stumped by this one, getting the same error but I've quadruple checked that I followed the steps correctly using a symmetric key. I have verified that the token is signed correctly using jwt.io. I even removed the MetaData items IdTokenAudience and issuer from the Technicla Profile to rule them out. I deleted and re-added the Policy Key to make sure I pasted the correct value in there, which is a base64 encoded string. I am recording the user journey with Application Insights but haven't found more details in there. I wasn't sure about creating the manual Policy Key with key usage Encryption so I tried it with key usage Signing but it didn't make a difference.

The error:
AADB2C90233: The provided id_token_hint parameter failed signature validation. Please provide another token and try again.

My JWT contents, I've checked all required claims are there and that the signature is good:

{  "alg": "HS256",  "typ": "JWT"}
{
  "iat": 1616639361,
  "sub": "d8ebdf73-1c14-4591-b6d7-666b8f9b0813",
  "nbf": 1616639361,
  "exp": 1616639961,
  "iss": "https://my-website.net",
  "aud": "my-tenant.onmicrosoft.com"
}

My technical profile, with metadata now commented out to narrow the issue:

<ClaimsProvider>
  <DisplayName>ID Token Hint Reader</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="IdTokenHint_ExtractClaims">
      <DisplayName>ID Token Hint Reader</DisplayName>
      <Protocol Name="None" />
      <!--<Metadata>-->
        <!--<Item Key="IdTokenAudience">my-tenant.onmicrosoft.com</Item>-->
        <!--<Item Key="issuer">https://my-website.net</Item>-->
      <!--</Metadata>-->
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_IdTokenHintKey" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
      </OutputClaims>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

And step 1 of my sign in user journey:

<OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_ExtractClaims" />

Anybody have an insight as to what I'm missing?

from samples.

Well I immediately realised that B2C isn't base64 decoding the key when validating the JWT. Is there any way to configure this behaviour?

from samples.

You mean you base64 encoded the secret before uploading the key into B2C policy keys?

from samples.

Well the secret is a byte array, following the sample instructions I base64 encoded it to a string and pasted the string into the Policy Key as a manual secret. I configured the same string in my backend to sign the tokens. When signing the JWT I base64 decoded the string to get back the original byte array.

The issue is that B2C UTF8 decodes the Policy Key secret. This meant that I have to change my token signing to also UTF8 decode the string to get the same byte array as B2C.

It's a small thing but counter intuitive to me. Ideally B2C would detect that it's a base64 string value or have a checkbox when creating the key to say it is.

from samples.

Would it be sufficient to state to use UTF-8 in this readme to prevent this from occurring down the line?

from samples.

@stephenstroud your end result should look something like this: https://{yourb2c}.b2clogin.com/{your GUID as mentioned in my previous comment }/v2.0/

I don't get why the sample code generates issuer with localhost. Which cause the error AADB2C90232: The provided id_token_hint parameter does not contain an accepted issuer. Please provide another token and try again.

from samples.

@stephenstroud your end result should look something like this: https://{yourb2c}.b2clogin.com/{your GUID as mentioned in my previous comment }/v2.0/

I don't get why the sample code generates issuer with localhost. Which cause the error AADB2C90232: The provided id_token_hint parameter does not contain an accepted issuer. Please provide another token and try again.

Because the id_token_hint IS issued by your service (ie localhost or call it what you want). In the id_token_hint technical profile, supply a metadata URL with a matching issuer. This is the traditional path.

If your are using B2C to generate the OIDC metadata document, either issue the id_token_hint with appropriate issuer that matches issuer value found in the B2C OIDC Metadata, or override the issuer validation in the Technical Profile metadata options to match what your service sets as the issuer claim in the id_token_hint.

Issuer in the token just needs to match the OIDC metadata document that the Id token hint technical profile references, in all cases.

from samples.