IDX10501: Signature validation failed. Unable to match key

What to do when accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests?

Issue description:

When accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests.

Exception occurred while processing message.Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:             
kid: ‘[PII is hidden. For more details      see https://aka.ms/IdentityModel/PII.]’.        
Exceptions caught:            
 ‘[PII is hidden. For more details     see https://aka.ms/IdentityModel/PII.]’.         
token: ‘[PII is hidden. For more details     see https://aka.ms/IdentityModel/PII.]’.        
   at JwtSecurityToken System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token TokenValidationParameters validationParameters)        
   at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token TokenValidationParameters validationParameters    out SecurityToken validatedToken)    
   at ClaimsPrincipal Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(string idToken AuthenticationProperties properties TokenValidationParameters validationParameters     out JwtSecurityToken jwt)

Cause:

The token issued by one node is signed with a different certificate than the node that is validating it as part of the OIDC flow.

In order to validate it:
 

  1. Shutdown all the nodes and leave one standing

       2.  Browse for https://ORCHESTRATOR/identity/.well-known/openid-configuration/jwks. The kid needs to match the THUMBPRINT in the appsettings.Production.json and should be the same across all servers.

Solution: 

  1. Import the same certificate in all nodes

        2. Update the appsettings.Production.json and use the same Thumbprint
                    "AppSettings": {
                     "IdentityServerAddress": "https://ORCHESTRATOR/identity",
                     "SigningCredentialSettings": {
                      "StoreLocation": {
                       "Name": "THUMBPRINT",
                      "Location": "LocalMachine",
                       "NameType": "Thumbprint"
​​​​​​​
   Make sure the Identity site is pointing to the right location.
​​​​​​​