Skip to content

Commit 5fc8eb1

Browse files
przlplxprzlplx
authored
Update idx10501t-oken-signature-validation-error.md
1 parent 63fec8b commit 5fc8eb1

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

support/entra/entra-id/app-integration/idx10501t-oken-signature-validation-error.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ ms.custom: sap:Developing or Registering apps with Microsoft identity platform
99
---
1010
# IDX10501 Signature Validation Errors in Microsoft Entra ID applications
1111

12-
If a client application obtains an access token from Microsoft Entra ID and sends it to a resource (API) application, the resource application must validate the token. To do this, that application uses the public key from the certificate that was used to sign the token. If the application can't find the correct key identifier (kid), it might generate an error message that resembles the following message:
12+
If a client application obtains an access token from Microsoft Entra ID and sends it to a resource (API) application, the resource application must validate the token. It validates by using the public key from the certificate that was used to sign the token. If the application can't find the correct key identifier (kid), it might generate an error message that resembles the following message:
1313

1414
> IDX10501: Signature validation failed. Unable to match 'kid'
1515
@@ -45,7 +45,7 @@ For SAML, Microsoft Entra ID uses the app-specific certificate to sign tokens. T
4545
```http
4646
https://login.microsoftonline.com/<tenant>/discovery/keys?appid=<SAML App ID>
4747
```
48-
3. If your app uses custom signing keys that use a [claims-mapping policy](/entra/identity-platform/saml-claims-customization), you must append an `appid` query parameter that contains the app client ID. This is necessary to retrieve a `jwks_uri` that points to the app’s specific signing key information. For example:
48+
3. If your app uses custom signing keys that use a [claims-mapping policy](/entra/identity-platform/saml-claims-customization), you must append an `appid` query parameter that contains the app client ID. This step is necessary to retrieve a `jwks_uri` that points to the app’s specific signing key information. For example:
4949
5050
```http
5151
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e

0 commit comments

Comments
 (0)