IDX10500: Signature validation failed Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmccqaa&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Mark BMark B 

IDX10500: Signature validation failed

Hi,
I'm trying to create a proof-of-concept application. I have a native windows client application that is based on the Okta example named "Okta OpenID Connect Windows Native Examples." I have a WebAPI server application that is based on the Okta example, "Okta-OpenIDConnect-SPA-ASP.NET WebAPI." The objective is to have the client successfully call the WebAPI server with group authorization.

I'm having a problem getting the token validation to work on the WebAPI server. It looks like the token is signed with a different key than the one in the openid-configuration. Here's the error that I'm getting:

System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
    )
', 
token: '{"alg":"RS256","kid":"3u3MKPQsCYpA5_tQZ6FYINo0Agf6I0IxucFd14D2gOs"}.{"ver":1,"jti":"AT.PJQv1IjWUvX1v-J1uTKTYAdUZaTshrBEVYEs8L7mzqM","iss":"https://...



And the response from /oauth2/v1/keys looks like this:

{
keys: [
{
alg: "RS256",
e: "AQAB",
n: "zn2dZz79-idza7gqZEPaw1RJn1p2lPN1CITSEayyvdOZuhbH_FkBbj5WLFUZCPqjaNJvtpDDdD1WvKYLWIH-KUGoNOLrD0dIWMVhSqoRzBZ3EkLVI_g607Vu-BXT2BPfIw7ovUpuObVcI1Uy7BbHmgQJJuFSlOUjhboe60vHHVxwgoTYU62hYAb66SFp3t9VFqEpOjDyJL6Mf8rLijOP7S3Ft-FqL3NO9QXKRl0fa5bLkZ5rxdHwmTITnNE6w3TwijE84l3dWiFIDIyd8E23xdgokdun0C4Cj2ntINpkDvkuWraDKxuafYiN9eTD4jAQXiuhPrSj4V4ueuNTVM7e8w",
kid: "eTamJ0wfPSMKPsDXmV84FsbJ5fqFskdoVvEMIk_yTMo",
kty: "RSA",
use: "sig"
}
]
}

I'm assuming that the kids should match. Is that a correct assumption? If they are supposed to match, why would they be different? If they arent supposed to match, what else could be wrong?

Thanks!

 
Darron HellmannDarron Hellmann (Okta)
Hi Mark

May I suggest opening a DevSupport ticket so that we can take a closer look?