What to do when accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests?
When accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests.
Exception occurred while processing message.Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: ‘[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]’.
‘[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]’.
token: ‘[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]’.
at JwtSecurityToken System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token TokenValidationParameters validationParameters out SecurityToken validatedToken)
at ClaimsPrincipal Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(string idToken AuthenticationProperties properties TokenValidationParameters validationParameters out JwtSecurityToken jwt)
The token issued by one node is signed with a different certificate than the node that is validating it as part of the OIDC flow.
In order to validate it:
Shutdown all the nodes and leave one standing
2. Browse for https://ORCHESTRATOR/identity/.well-known/openid-configuration/jwks. The kid needs to match the THUMBPRINT in the appsettings.Production.json and should be the same across all servers.
Import the same certificate in all nodes
2. Update the appsettings.Production.json and use the same Thumbprint
Make sure the Identity site is pointing to the right location.