I’ve got a really strange problem with a SharePoint Online App.
When the users from one tenant only attempt to use my app I am getting the following error trying to check the SPAppToken usign TokenHelper.cs
System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.
at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)
at …TokenHelper.ReadAndValidateContextToken(String contextTokenString, String appHostName)
I’ve tracked this down somewhat – its because the SPAppTokens from this particular tenant are signed with the RS256 algorithm and not the usual HS256 algorithm.
The JWT header looks like this : “alg”: “RS256”, “typ”: “JWT”, “x5t”: “REDACTED”,
Rather than the usual : “alg”: “HS256”, “typ”: “JWT”
Turns out the HS256 signing algorithm uses your “Client Secret” to encode, but the HS256 uses X509 certificates but I can’t find out any information on whos certificate – mine, Microsofts, the tenants?
Any idea whats going on?
Any idea why this one tenant and if its a setting in SharePoint Online that can be switched?
Any idea where I can go for more help on this?
Have you solved this problem? We met this problem too. Only one tenant throws this exception, and other tenants work fine.
