When you create Provider Hosted you have registered a Client ID and Secret ID using SharePoint Register App Page (AppRegNew.aspx) and you have used this Client ID and Secret ID in the Web Config in the web application part of the provider hosted app (App Web), after one year your Apps is stop working, and you will get the following Error:
System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.


By default the Secret Key will expire after one year, unfortunately you will not get any alerts before the expiry date, you have to renew the Secret Key at least one day before its expiry, because the new key will take about 12 hours to be generated, following steps will renew the Secret ID

      1.Use online power shell to create new Client Secret ID

Download the Power shell for Office365:
  • Microsoft Online Services Sign-In Assistant is installed on the development computer.
  • Microsoft Online Services Power Shell Module (32-bit64-bit) is installed on the development computer.
  • You are a tenant administrator for the Office 365 tenant (or a farm administrator on the farm) where the app was registered with the AppRegNew.aspx page
  •       After downloading the power shell open it and connect to SharePoint online using following CMDLET:
         A popup will ask for Username and Password type your Username as:                 UserName@DomainName.com
    2.Find out the expiration dates of the apps for SharePoint installed to the Office 365 tenancy
Get-MsolServicePrincipal  |Where-Object -FilterScript { ($_.DisplayName -notlike “*Microsoft*”) -and ($_.DisplayName -notlike “autohost*”) -and  ($_.ServicePrincipalNames -notlike “*localhost*”) } | foreach-object{
    $principalId = $_.AppPrincipalId
    $principalName = $_.DisplayName

Get-MsolServicePrincipalCredential -AppPrincipalId $principalId -ReturnKeyValues $true | Where-Object { ($_.Type -ne “Other”) -and ($_.Type -ne “Asymmetric”) } |  foreach-object{
        $date = $_.EndDate.ToShortDateString()
        write-output “$($principalName);$($principalId);$($_.KeyId);$($_.type);$($date);$($_.Usage);$($_.Value)”
} > c:tempappsec.txt
    3Generate a new secret
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret
Copy the new Secret to use it as mentioned in the next Section
    4.Update the web Config of the Azure Apps Web with the new Secret
The good news is that it’s not required to deploy the Apps again, you just you need to updated the web config file of the web application part of the provider Hosted App (App Web)
<add key=”ClientId” value=”c86eb4d4-0efd-4269-92ba-97fd48689ec5″ />
 <add key=”ClientSecret” value=”New Secret” />
 <add key=”SecondaryClientSecret” value=”Old Secret” />
We will keep the Old key in App setting (SecondaryClientSecret) because the new key will take about 12 hours to be generated in this case the web application will try to use the new Client Secret key but it will fail then it will use the secondary key, once the new key generated the web application will use it
Replace an expiring client secret in a SharePoint Add-in

Please follow and like us: