Validate Azure AD v1 id

Validate Azure AD v1 id_token

Q

How to validate the id_token value received from Azure AD v1.0 authentication response?

✍: FYIcenter.com

A

As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script.

After decoding, you can get all information about the end user from the body component, and trust it without any validation.

But, since the "id_token" is included in the authentication response delivered over the public Internet, you should not trust it and perform a number validation steps:

1. Data structure validation.

The "id_token" must have 3 components.
Each component must be a Base64URL encoded string.
The decoded "Header" and 'Body" (also called "Payload") components must be JSON strings.

2. Data attributes validation.

The "Header " component must have all required attributes and values. For example, "typ": "JWT", "alg": "...", and "kid": "..." are required.
The "Body" component must have all required attributes and values. For example, "ver": "1.0", is required to indicate the version of the id_token structure. "iss": "..." must match the id of the Active Directory your app is registered in. "aud": "..." must match the "client_id" value in your authentication request.

3. Timestamp attributes validation. This will prevent someone to repost the authentication response to your server script at a later time.

"iat": "1416968588" specifies the "Issue AT" time. It must be very recent.
"nbf": "1416968588" specifies the "Not BeFore" time. It must be a past time.
"exp": "1416968588" specifies the "EXPiration" time. It must be a future time.

4. "nonce" protection and validation. This will prevent someone to repost the authentication response again immediately.

Generate a new random value for the "nonce" and included in your authentication request and save it into the server cache.
Take the "nonce" value out of the "Body" component of the authentication response and search it in the server cache.
If a match found, the "nonce" is valid and remove it from the server cache.
If no match found, the "nonce" is invalid. Someone is hacking your application, or Azure AD service is sending a duplicate authentication response.
Remove old "nonce" values from the server cache. Some authentication requests will never result any authentication response, because not all end users are going to complete their Azure AD sign-on processes.

5. Signature validation. This is to ensure the entire authentication response message has not been modified by someone else. See next tutorial on how to perform "id_token" signature validation.

Â

â‡’ Validate Azure AD v1 id_token Signature

â‡ Azure AD v1 id_token Decoded Example

â‡‘ Azure AD Integration v1.0

â‡‘â‡‘ OpenID Tutorials

2021-05-16, 1094👍, 0💬

Introduction of EPUB 2.0 Specification
Where to find tutorials on introduction of EPUB 2.0 Specification? Here is a list of tutorials to answer many frequently asked questions compiled by FYIcenter.com team on introduction of EPUB 2.0 Specification. What Is EPUB 2.0 Specification Minimum Requirement of EPUB 2.0.1 File Hello-2.0.epub - "m... 2019-01-12, 1974👍, 0💬

Hello-2.0.epub - Navigation File: navigation.xml
How to create a navigation file like navigation.xml for an EPUB 2.0.1 book? At least one navigation file, like navigation.xml, is required for an EPUB 2.0.1 book in the book ZIP container. It provides navigation information like a table of contents of the book. Here is the requirement on a navigatio... 2021-04-15, 1646👍, 0💬

Hello-2.0.epub - Content File: content.xhtml
How to create a content file like content.xhtml for an EPUB 2.0.1 book? At least one content file, like content.xhtml, is required for an EPUB 2.0.1 book in the book ZIP container. It provides the content of the book. Here is the requirement on a content file: 1. A content file must be named with .x... 2021-04-04, 1605👍, 0💬

Azure AD v1 id_token Decoded Example
Where to find an Azure AD v1.0 id_token decoded example? Here is an example of an "id_token" value returned from Azure AD v1.0 after Base64URL decoded: Header = { "typ": "JWT", "alg": "RS256", "x5t": "i6lGk3FZzxRcUb2C3nEQ7syHJlY", "kid": "i6lGk3FZzxRcUb2C3nEQ7syHJlY" } Body = { "aud": "ef1da9d4-ff77... 2021-05-16, 1111👍, 0💬

Validate Azure AD v1 id_token
How to validate the id_token value received from Azure AD v1.0 authentication response? As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script. After decoding, you can get all information about t... 2021-05-16, 1095👍, 0💬

Build Implicit Flow with Azure AD v1
How to implement the OpenID Implicit Flow with Azure AD v1.0 service? If you want to implement the OpenID Implicit Flow in your Web application to use Azure AD service, you should follow these steps: 1. Building the Azure AD v1.0 Sign-on authentication request: Register your Web application to the A... 2021-05-16, 1073👍, 0💬

Validate Azure AD v1 id_token Signature
How to validate the id_token signature received from Azure AD v1.0 authentication response? You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article" .... 2021-05-16, 1021👍, 0💬

Decode Azure AD v1 id_token
How to decode the id_token value received from Azure AD v1.0 authentication response? According to the "RFC 7519 - JWT (JSON Web Token)" standard, the "id_token" value received from Azure AD authentication response should be decoded as below: Splitting the encoded string into 3 components: Header, B... 2021-05-16, 1008👍, 0💬

Azure AD v1 Authentication Request Test Page
How to build an Azure AD v1.0 Authentication Request Test page? The Authentication Request is the first call to the Azure AD service. You can build a simple Web form page to test different behavior of the Authentication Request. Here is an example, Azure-AD-Authentication-Reques t-Test.html:<... 2022-05-01, 972👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.