"Failed to obtain access token" and Error "AADSTS50146" with Azure AD (Entra ID) Connection

Overview

A customer is experiencing an issue attempting to authenticate with an Azure AD (Entra ID) connection via Auth0.
The authentication flow fails with the following error message:

“error”: { “message”: “failed to obtain access token”, “oauthError”: “invalid_request”, “payload”: “{"error":"invalid_request","error_description":"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.”, “type”: “request-error” }

Cause

This is caused by a misconfiguration of the application on the Azure AD (Entra ID) side.

Solution

This Microsoft Forum goes into this error further, along with possible steps to mitigate this issue. The solution is posted below, but feel free to review the full thread using the link provided at the bottom. Note that this is guidance provided by Microsoft Support, and issues pertaining to the Microsoft platform should be routed to their Support team respectively.

AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Please contact the application's administrator.

The first option is to create such a key using Azure AD Graph API:

Create a certificate with the private key in PFX format
Convert the PFX file to base-64 encoded file: $fileContentBytes = get-content "file.pfx" -Encoding Byte [System.Convert]::ToBase64String($fileContentBytes) | Out-File "pfxbytes.txt"
Sign-in to Azure AD Graph API using the following link: https://graphexplorer.azurewebsites.net/
Execute the following method: PATCH https://graph.windows.net/myorganization/servicePrincipals/<ObjectID_of_the_service_principal_of_your_app>;
{

            "keyCredentials":

[{

                  "startDate": "2018-02-22T01:10:00Z",

                  "endDate": "2019-02-22T01:10:00Z",

                  "type": "X509CertAndPassword",

                  "usage": "Sign",

                  "keyId": "100C8EC2-0011-490c-86A2-3BF89A708456",

                  "value": "Content of pfxbytes.txt"

            }],

            "passwordCredentials":

[{

                  "startDate": "2018-02-22T01:10:00Z",

                  "endDate": "2019-02-22T01:10:00Z",

                  "keyId": "100C8EC2-0011-490c-86A2-3BF89A708456",

                  "value": "Password for the PFX file"

            }]

}

Note that "startDate" and "endDate" must match the real dates of the certificate. "keyId" must be the same for both "keyCredentials"and "passwordCredentials" (you can use any GUID generator to provide its value).

The second option is to verify your application domain:

Add and verify your application domain in “Custom domain names” blade of Azure AD.
Domain verification means that your domain must be accessible through the Internet and you must publish a special TXT file with the secret key on this domain, so that Azure AD can check that this domain belongs to you.
Then you should set the switch "acceptMappedClaims": true in your app registration manifest.
Not that it is also possible to use your application without publishing it to a valid Internet domain.
Azure AD always has the default verified domain that belongs to the directory itself
Registering this domain in your “hosts” file will allow you to use your Intranet app.

source: