public void MatchX5t() { X509SecurityKey signingKey = KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256; X509SecurityKey validateKey = KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256_Public; // Assume SigningKey.KeyId doesn't match validationParameters.IssuerSigningKey.KeyId signingKey.KeyId = null; var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature); var header = new JwtHeader(signingCredentials); header.Add(JwtHeaderParameterNames.X5t, Base64UrlEncoder.Encode(KeyingMaterial.CertSelfSigned2048_SHA256.GetCertHash())); var payload = new JwtPayload(); payload.AddClaims(ClaimSets.DefaultClaims); var jwtToken = new JwtSecurityToken(header, payload); var handler = new JwtSecurityTokenHandler(); var jwt = handler.WriteToken(jwtToken); var validationParameters = new TokenValidationParameters { RequireExpirationTime = false, RequireSignedTokens = true, ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; validationParameters.IssuerSigningKey = validateKey; SecurityToken validatedSecurityToken = null; var cp = handler.ValidateToken(jwt, validationParameters, out validatedSecurityToken); validateKey = KeyingMaterial.X509SecurityKeySelfSigned2048_SHA384_Public; validationParameters.IssuerSigningKey = validateKey; ExpectedException expectedException = ExpectedException.SecurityTokenInvalidSignatureException("IDX10503:"); try { cp = handler.ValidateToken(jwt, validationParameters, out validatedSecurityToken); } catch (Exception ex) { expectedException.ProcessException(ex); } }