IDX10501: Signature validation failed. Unable to match key

TL;DR When using MSAL to authenticate against an Azure Function App make sure you use the idToken and not the accessToken.

A quick one this it happened because a client asked us to use a ‘secured’ Azure App Function and our fetch calls to it from a Single Page Application (SPA) started to fail as soon as they added an Azure AD Identity provider to it.

We had been making calls as follows:

But now this was giving us a HTTP/401 Status code.

Not a problem we had already used MSAL to authenticate against Universal Print so we had an Authorisation Result which had tokens in it we could use them to show who we were.

However when we ran this we still got a HTTP/401.

Investigating further we found in the response:

{"code":401,"message":"IDX10501: Signature validation failed. Unable to match key: \nkid: '-KI3Q9nNR7bRofxmeZoXqbHZGew'. \nNumber of keys in TokenValidationParameters: '8'. \nNumber of keys in Configuration: '0'. \nExceptions caught:\n '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. \ntoken: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'."}

It took a while and this slightly unrelated issue: invalid_client the App asked for scope ‘mailread’ that doesn’t exist on the resource to identify the simple mistake:

An Authorisation Result looks like this:

The token we had used was the accessToken, as we wanted ‘access’, not the idToken, who we were.

Anyway when supply tokens remember to use the idToken for authentication and not the accessToken.

TL;CR When using MSAL to authenticate against an Azure Function App make sure you use the idToken and not the accessToken.