Validate Azure AD v1 id_token

Q

How to validate the id_token value received from Azure AD v1.0 authentication response?

✍: FYIcenter.com

A

As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script.

After decoding, you can get all information about the end user from the body component, and trust it without any validation.

But, since the "id_token" is included in the authentication response delivered over the public Internet, you should not trust it and perform a number validation steps:

1. Data structure validation.

  • The "id_token" must have 3 components.
  • Each component must be a Base64URL encoded string.
  • The decoded "Header" and 'Body" (also called "Payload") components must be JSON strings.

2. Data attributes validation.

  • The "Header " component must have all required attributes and values. For example, "typ": "JWT", "alg": "...", and "kid": "..." are required.
  • The "Body" component must have all required attributes and values. For example, "ver": "1.0", is required to indicate the version of the id_token structure. "iss": "..." must match the id of the Active Directory your app is registered in. "aud": "..." must match the "client_id" value in your authentication request.

3. Timestamp attributes validation. This will prevent someone to repost the authentication response to your server script at a later time.

  • "iat": "1416968588" specifies the "Issue AT" time. It must be very recent.
  • "nbf": "1416968588" specifies the "Not BeFore" time. It must be a past time.
  • "exp": "1416968588" specifies the "EXPiration" time. It must be a future time.

4. "nonce" protection and validation. This will prevent someone to repost the authentication response again immediately.

  • Generate a new random value for the "nonce" and included in your authentication request and save it into the server cache.
  • Take the "nonce" value out of the "Body" component of the authentication response and search it in the server cache.
  • If a match found, the "nonce" is valid and remove it from the server cache.
  • If no match found, the "nonce" is invalid. Someone is hacking your application, or Azure AD service is sending a duplicate authentication response.
  • Remove old "nonce" values from the server cache. Some authentication requests will never result any authentication response, because not all end users are going to complete their Azure AD sign-on processes.

5. Signature validation. This is to ensure the entire authentication response message has not been modified by someone else. See next tutorial on how to perform "id_token" signature validation.

 

⇒ Validate Azure AD v1 id_token Signature

⇐ Azure AD v1 id_token Decoded Example

⇑ Azure AD Integration v1.0

⇑⇑ OpenID Tutorials

2021-05-16, 761👍, 0💬