-
Notifications
You must be signed in to change notification settings - Fork 401
SecurityTokenInvalidSignatureException
This exception message is generated when a token signature cannot be verified by any of the provided keys. The described scenario may happen if data has been tampered with or if a corresponding key is not present.
In some cases, IDX10503: Signature validation failed error is caused by disposing of a cryptographic object before it is actually used for signing or signature validation. One way this can happen is by calling a Dispose() method explicitly. Another situation where this can occur is when a cryptographic object is created inside of a using block, and signing/validation is done outside of the using block.
When a cryptographic object is disposed, and later used, it may implicitly make up a random new key.
Solution: A cryptographic object should not be disposed before it is used for signing or signature validation.
Noticed in issues: #968 and #994
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over