Azure AD B2C Issuing JWT Tokens with Invalid Signatures

Question

Azure AD B2C Issuing JWT Tokens with Invalid Signatures

petehall 20

Azure AD B2C is intermittently issuing JWT access tokens with mathematically invalid RSA signatures. These tokens fail RSA.VerifyData() validation against the public keys published in the JWKS endpoint, even though:

1. The token's `kid` (Key ID) matches a key in the current JWKS
2. All token claims are valid (correct issuer, audience, not expired)
3. The token format is syntactically correct
4. No corruption occurs during transmission (byte-identical on repeated reads)

The oldest active signing key is 47 days old and may be faulted or corrupt.


Can you check the status of a signing key - I can specify which one.
   - Are there any known issues with this specific key?
   - Can you force removal/rotation of this key?

Shubham Sharma 12,525 Reputation points Microsoft External Staff Moderator

2026-04-09T13:33:44.9366667+00:00

Hello petehall

Thank you for reaching out to Microsoft Q&A.

We are currently checking with the internal team and we will get back to you shortly.

Thank you
VEMULA SRISAI 11,330 Reputation points Microsoft External Staff Moderator

2026-04-09T14:25:16.8633333+00:00
Hello petehall,

Thanks for sharing the detailed analysis,this is a very interesting scenario.

Based on your observations, this does not appear to be a typical configuration or validation issue. If RSA.VerifyData() fails even when the kid matches the JWKS key and the token is byte-identical, this points to either a subtle validation mismatch or a potential backend inconsistency.

Answers to your questions

Can the status of a specific signing key be checked? There is currently no public mechanism to inspect or validate the health/status of an individual signing key in Azure AD B2C. This can only be checked internally by Microsoft.

Are there known issues with specific keys? There are no documented cases where Azure AD B2C issues tokens with mathematically invalid RSA signatures. Most “invalid signature” issues reported publicly are related to configuration, key mismatch, or validation logic.

Can a key be force-rotated or removed? No,signing keys are fully managed by the platform, and:

You cannot manually remove a key

You cannot force immediate rotation. Recommended Actions:

Validate your verification logic Ensure the following are strictly correct:

Signing input: base64UrlEncode(header) + "." + base64UrlEncode(payload)

Algorithm: RS256 (SHA256 + PKCS#1 v1.5)

Proper decoding of n and e from JWKS

Implement retry logic (mitigation) Since the issue is intermittent:

Reject the failed token

Request a new token

Re-validate

Refresh JWKS on failure

Re-fetch JWKS when validation fails

Rebuild the key and retry validation once

Reduce JWKS caching

Avoid long-lived key caching

Refresh keys more frequently or on failure

Capture diagnostic data Log the following for failed cases:

Full JWT

kid

JWKS response

Timestamp (UTC)

Validation method details

If the issue continues after the above steps, please let me know.
petehall 20 Reputation points

2026-04-09T14:50:45.3366667+00:00

I'll discuss the above with the development team. Quick question though, would a signing key be expected to be 47 days old?
petehall 20 Reputation points

2026-04-09T15:03:25.2066667+00:00

Can you arrange a private chat as I have diagnostic information I can share - I also do not want to implement more complex retry logic as yet
VEMULA SRISAI 11,330 Reputation points Microsoft External Staff Moderator

2026-04-09T15:04:19.34+00:00

petehall yes, a signing key being ~47 days old is completely normal in Azure AD B2C.

1 answer

Your answer

Shubham Sharma 12,525 Reputation points Microsoft External Staff Moderator

2026-04-09T13:33:44.9366667+00:00

Hello petehall

Thank you for reaching out to Microsoft Q&A.

We are currently checking with the internal team and we will get back to you shortly.

Thank you
VEMULA SRISAI 11,330 Reputation points Microsoft External Staff Moderator

2026-04-09T14:25:16.8633333+00:00

Hello petehall,

Thanks for sharing the detailed analysis,this is a very interesting scenario.

Based on your observations, this does not appear to be a typical configuration or validation issue. If RSA.VerifyData() fails even when the kid matches the JWKS key and the token is byte-identical, this points to either a subtle validation mismatch or a potential backend inconsistency.

Answers to your questions

Can the status of a specific signing key be checked? There is currently no public mechanism to inspect or validate the health/status of an individual signing key in Azure AD B2C. This can only be checked internally by Microsoft.

Are there known issues with specific keys? There are no documented cases where Azure AD B2C issues tokens with mathematically invalid RSA signatures. Most “invalid signature” issues reported publicly are related to configuration, key mismatch, or validation logic.

Can a key be force-rotated or removed? No,signing keys are fully managed by the platform, and:

You cannot manually remove a key

You cannot force immediate rotation. Recommended Actions:

Validate your verification logic Ensure the following are strictly correct:

Signing input: base64UrlEncode(header) + "." + base64UrlEncode(payload)

Algorithm: RS256 (SHA256 + PKCS#1 v1.5)

Proper decoding of n and e from JWKS

Implement retry logic (mitigation) Since the issue is intermittent:

Reject the failed token

Request a new token

Re-validate

Refresh JWKS on failure

Re-fetch JWKS when validation fails

Rebuild the key and retry validation once

Reduce JWKS caching

Avoid long-lived key caching

Refresh keys more frequently or on failure

Capture diagnostic data Log the following for failed cases:

Full JWT

kid

JWKS response

Timestamp (UTC)

Validation method details

If the issue continues after the above steps, please let me know.
petehall 20 Reputation points

2026-04-09T14:50:45.3366667+00:00

I'll discuss the above with the development team. Quick question though, would a signing key be expected to be 47 days old?
petehall 20 Reputation points

2026-04-09T15:03:25.2066667+00:00

Can you arrange a private chat as I have diagnostic information I can share - I also do not want to implement more complex retry logic as yet
VEMULA SRISAI 11,330 Reputation points Microsoft External Staff Moderator

2026-04-09T15:04:19.34+00:00

petehall yes, a signing key being ~47 days old is completely normal in Azure AD B2C.

Answer 1

petehall 20

I need to know:
Can you check the status of a specific signing key?
Are there any logged errors in Azure AD's token signing service for this tenant?
Can you disable a specific key? That would test one theory

Regards

0 comments

Share via

Azure AD B2C Issuing JWT Tokens with Invalid Signatures

1 answer

Your answer