samples icon indicating copy to clipboard operation
samples copied to clipboard

Published 20 hours ago verified publisher icon azure-ad-b2c

JWTissuer - Keyset does not exist exception

Open MarijnCatthoor opened this issue 1 year ago • 5 comments
trafficstars

We have implemented a custom policy based on the Invite sample. An Azure function generates an invite link which is mailed to the new user. That url directs the user to our Signup policy. All the steps in the signup policy are executed successfully (user is created), but in the last step (SendClaims) we get an exception:

{
    "Kind": "FatalException",
    "Content": {
      "Time": "8:27 AM",
      "Exception": {
        "Kind": "Handled",
        "HResult": "80090016",
        "Message": "Keyset does not exist\r\n",
        "Data": {}
      }
    }
  }

This happens in the JWTIssuer TechnicalProfile from the TrustFrameworkBase policy:

<ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="JwtIssuer">
          <DisplayName>JWT Issuer</DisplayName>
          <Protocol Name="None" />
          <OutputTokenFormat>JWT</OutputTokenFormat>
          <Metadata>
            <Item Key="client_id">{service:te}</Item>
            <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
            <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
            <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
          </CryptographicKeys>
          <InputClaims />
          <OutputClaims />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

Which is called in the last step from the UserJourney:

<!-- Let the user fill in the signup form and create the account--> 
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSignUpWithReadOnlyEmail" TechnicalProfileReferenceId="LocalAccountSignUpWithReadOnlyEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Issue an access token for the newly created account-->
        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

The error message suggests an issue with the certificate used to sign the token, however the configuration seems ok. All certificates are in place.

Anyone encountered the same error message or can guide is in the correct direction to solve this?

MarijnCatthoor avatar Jun 13 '24 09:06 MarijnCatthoor