Hi Erik,

I faced this same error with OpenId Connect implementation. The problem obviously is that the default signature validator cannot validate the token signature.

First to see the "PII is hidden..." you need to add this in your code:

Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

That way you will see what key was used to try to validate the signature (there could be multiple but usually there is just one). But that will not mostly like help you much with the issue, you can just check that it is using the correct key to validate the signature.

You should check from the returned token header what algorithm is used to verify the signature (header alg value), it could be a public key or a certificate etc.

Have a look at this article (might help you): https://medium.com/the-new-control-plane/validating-an-adfs-jwt-token-1146bb529a2a

In my case the problem was that the public key returned from JWKS endpoint had zero as the first byte which made the key "invvalid" and I had to implement a custom signature validator which removed the first zero byte from the key and ta-daa signature validation started to work (this was with OpenAM product but same issue has been reported with SalesForce in the past but it is fixed by SalesForce).

I know this is resurrecting and old issue, but I managed to get it to authenticate correctly by changing the hash algorithm to SHA-256 in the relying party config. Users and roles are populating the db accordingly.

Thank you for the previous response, but honestly I tried just about everything and I still couldnt get that to show the error. Changed the machine config vals and added showpII to my owin loggging but VS yelled at me as well. Thankfully I solved this one through stubborn trial and error.