Tools, FAQ, Tutorials:
Validate Azure AD v1 id_token Signature
How to validate the id_token signature received from Azure AD v1.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
2021-05-16, 1454🔥, 0💬
Popular Posts:
What is EPUB 2.0 Metadata "dc:publisher" and "dc:rights" elements? EPUB 2.0 Metadata "dc:publisher" ...
How to create a navigation file like navigation.xhtml for an EPUB 3.0 book? At least one navigation ...
How To Open Standard Output as a File Handle in PHP? If you want to open the standard output as a fi...
Where to find tutorials on Microsoft Azure services? Here is a large collection of tutorials to answ...
What properties and functions are supported on http.client.HTTPResponse objects? If you get an http....