How to fix : AADSTS500126: External ID token from issuer '{issuer}' failed signature verification. KeyID of token is '{keyid}'.

vrk 5 Reputation points
2024-07-08T07:15:13.5+00:00

I am working on creating external authentication method using OpenID connect flow.

Now I am looking for the last step where the generated id_token from issuer need to verify by Microsoft Entra ID. However, I am getting the following error :

AADSTS500126: External ID token from issuer 'https://xxxx' failed signature verification. KeyID of token is 'xxxxxxx'.

Generating id_token using following params, what could be the issue, I tried verifying the id_token generated on https://jwt.io/ and https://jwt.davetonge.co.uk/ it shows signature verified.

Looking for help here to resolved the issue. Thank you.

$payload = [
            'iss' => "xxxx",
            'tid' => "xxxx",
            'aud' => "xxxx",
            'exp' => time() + 3600,
            'iat' => time(),
            'nbf' => time(),
            'sub' => $entra_data['sub'],
            'nonce' => $entra_data['nonce'],
            'acr' => $entra_data['acr'],
            'amr' => $entra_data['amr'],
            'name' => $user->name,
            'email' => $user->email,
            'preferred_username' => $user->email
        ];

        // Create the header
        $header = [
            'alg' => 'RS256',
            'typ' => 'JWT',
            'kid' => "xxxxxx"
        ];
        
        return $id_token = JWT::encode($payload, $privateKey, 'RS256', null, $header);
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,698 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 36,846 Reputation points Microsoft Employee
    2024-07-08T20:57:52.61+00:00

    Hi @vrk ,

    EAM feature is in public preview which means the support we offer is limited and we do not recommend deploying the feature in production. As best effort you can try these steps:

    1. Check that the configuration on our side is correct as per article How to manage an external authentication method (EAM) in Microsoft Entra ID (Preview) - Microsoft Entra ID | Microsoft Learn.
    2. Involve the 3rd party support team to check if configuration on their side is correct.
    3. If the configuration is correct on both parts please collect a Fiddler trace during the issue, reproduce it, and review the failed sign-in event.

    If you still face the issue, you can reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak | AADSTS500126") and include your subscription ID, the fiddler trace, and a link to this thread, and I can open a one-time free support case to look into this.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.