SharePoint App and “Invalid JWT token” exception

Harout Katerjian -

If Prime 365 (or any SharePoint App) suddenly stops working in your Microsoft Office 365, with the following exception then please read this to figure out what's going on:

System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.

Inspecting the OAuth protocol flow using Fiddler and the Fiddler Extension for SharePoint App Token, which is available thanks to Kirk Evans you will notice that in the SharePoint App Token of the failing app there was a difference, if compared with the App Token of a working app.

Here you can see the trailer of the token issued by ACS for the failing app:

{"typ":"JWT","alg":"RS256","x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}{"aud":"a683fa34-b747-48cd-adc8-bfca2778684b/","iss":"00000001-0000-0000-c000-000000000000@7f86dcab-5543-431d-a979-f5b7cd4912df", …. }

And, here you can see the trailer of a token issued by ACS for a good one:


The failing app receives a JWT token that is signed using an X.509 certificate and the RSA with SHA-256 algorithm. The x5t header parameter provides the encoded value of the thumbprint of the X.509 certificate used. While the good app uses an HMAC SHA-256 algorithm, instead.

This is because the Shared Secret of an app expires one year after the creation, and you have to renew it manually. This article on MSDN explains exactly how to renew a Shared Secret for an app, without changing the Client ID: “How to Replace an expiring client secret in an app for SharePoint”. 

Better yet, please follow this article that we have created with detailed instruction to get this resolved even faster: "Replacing an expired Client Secret/JWT Token."

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk