[Bug] Token validation throws "method not found" exception after updating Microsoft.Graph.Core from v3.1.13 to 3.1.14

[ahaselgrovehatch]

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.
Microsoft.IdentityModel 8.0.1

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

The app is in production, working on develop branch and I have just upgraded Microsoft.Graph.Core from v3.1.13 to 3.1.14

Repro
Bearer token authentication added with .AddMicrosoftIdentityWebApi(...) is now failing.
By adding an OnAuthenticatenFaild event handler to the JwtBearerEvents I have discovered that the context has recorded the following exception:

Method not found: 'Boolean Microsoft.IdentityModel.Tokens.AppContextSwitches.get_DoNotFailOnMissingTid()'.

   at Microsoft.IdentityModel.Validators.AadTokenValidationParametersExtension.ValidateIssuerSigningKey(SecurityKey securityKey, SecurityToken securityToken, BaseConfiguration configuration)
   at Microsoft.IdentityModel.Validators.AadTokenValidationParametersExtension.<>c__DisplayClass0_0.<EnableAadSigningKeyIssuerValidation>b__0(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters tvp, BaseConfiguration config)
   at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.<ValidateJWSAsync>d__67.MoveNext()

Expected behavior
Bearer token is validated

Actual behavior
Bearer token fails validation with the abovementioned exception

Possible solution

**Workaround
Revert to Microsoft.Graph.Core v3.1.13

Additional context / logs / screenshots / links to code
Token Payload:

{
"aud": "xxxeb45c-88b6-48d6-aabe-1d1703eddxxx",
"iss": "https://login.microsoftonline.com/xxxd9d59-2c6a-4abb-bdef-8e9435690xxx/v2.0",
"iat": 1721955693,
"nbf": 1721955693,
"exp": 1721961102,
"aio": "xxx",
"azp": "xxxeb45c-88b6-48d6-aabe-1d1703eddxxx",
"azpacr": "0",
"idp": "https://sts.windows.net/xxx4cba3-2efc-41cb-9647-b0588f934xxx/",
"name": "John Citizen",
"oid": "xxxc3867-25af-493b-a117-864d988baxxx",
"preferred_username": "john.citzen@acme.com",
"rh": "xxxQ0AWZ0NX2osu0q9746UNWkOHVy0bjS2iNZIqr4dFwPt1R0dxxx",
"roles": [
"GlobalAdministrator",
"ProductAdministrator"
],
"scp": "API.Access",
"sub": "xxxXi7BUqyuQrs4E9awmCtbVDkkyDqKMuACLMeFixxx",
"tid": "xxxd9d59-2c6a-4abb-bdef-8e9435690xxx",
"uti": "4qOAcGQNf0WmdujMZt_9AA",
"ver": "2.0"
}

[pmaytak]

Do you explicitly reference Microsoft.IdentityModel.* packages? Are they all version 8.0.1 (especially M.IM.Validators?

[ahaselgrovehatch]

Indirect reference vai Microsoft.Identity.Web 2.21.1.
When upgrading to Microsoft.Graph.Core 3.1.14, the IdentityModel indirect references are at 8.0.1, when reverting back to Microsoft.Graph.Core 3.1.13, then the IdentityModel indirect references revert to 7.7.1

[pmaytak]

You can try Microsft.Identity.Web 3.0.1 instead; it references IdentityModel 8.0.1.

[brentschmaltz]

@ahaselgrovehatch did you get any warnings in your build?

[ahaselgrovehatch]

You can try Microsft.Identity.Web 3.0.1 instead; it references IdentityModel 8.0.1.

Upgrading to Microsft.Identity.Web 3.0.1 has resolved the issue.

Note that we have our packages pinned to major releases (for example "Version=3."), Microsoft.Identity.Web was at 2., as a result we didn't automatically upgrade from 2.21.1 to 3.0.1

[ahaselgrovehatch]

@ahaselgrovehatch did you get any warnings in your build?

No, I don't believe the combination of Microsft.Identity.Web 2.21.1 and Microsoft.Graph.Core 3.1.14 generated any build warnings in our projects.