Azure AD-B2C error: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'

Question

I’m using Swagger to make API calls, for authentication I’m able to generate Bearer token but after that I' m getting 401 in response. After checking logs, below is the error:

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: 
kid: '[PII is hidden]', 
token: '[PII is hidden]'

My ConfigureAuth method is as below:

private static void ConfigureAuth(IAppBuilder app)
{
    var metadataEndpoint = string.Format(
        configProvider.GetConfigValue<string>("ida:AadInstance", "AuthConfig"),
        configProvider.GetConfigValue<string>("ida:Tenant", "AuthConfig"),
        configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"));

    string[] validAudiences = configProvider.GetConfigValue<string>("ida:Audiences", "AuthConfig").Split(',');
    TokenValidationParameters tvps = new TokenValidationParameters
    {
        ValidAudiences = validAudiences,
        AuthenticationType = configProvider.GetConfigValue<string>("ida:SignInPolicy", "AuthConfig"),
        ValidateAudience = true,
        ValidateIssuer = configProvider.GetConfigValue<bool>("validateIssuer", "AuthConfig"),
        ValidateLifetime = true,
        ValidAudience = configProvider.GetConfigValue<string>("Swagger:ClientId", "AuthConfig"),
        //NameClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier",
    };

    //SecurityToken securityToken;
    //JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
    app.UseOAuthBearerAuthentication(
        new OAuthBearerAuthenticationOptions
         {
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)),
            Provider = new OAuthBearerAuthenticationProvider()
            {
                OnRequestToken = (context) =>
                {
                    if (!string.IsNullOrEmpty(context.Token))
                    {
                    }

                    return Task.FromResult<int>(0);
                },
                OnValidateIdentity = (context) =>
                    {
                        ////TO DO
                        //// Steps to perform after identity validation

                        return Task.FromResult<int>(0);
                    }
            }
        });
}

Answer 1

I had to update my OpenIdConnectAuthenticationOptions.MetadataAddress to https://login.microsoftonline.com/tfp/{tenantId}/{policyId}/v2.0/.well-known/openid-configuration.

Answer 2

I was able to validate the token by passing the correct metadata endpoint. *

https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/.well-known/openid-configuration

*