Tools, FAQ, Tutorials:
Validate Azure AD v1 id_token Signature
How to validate the id_token signature received from Azure AD v1.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
2021-05-16, 1256🔥, 0💬
Popular Posts:
How To Avoid the Undefined Index Error in PHP? If you don't want your PHP page to give out errors as...
Can You Specify the "new line" Character in Single-Quoted Strings? You can not specify the "new line...
How to use "json-to-xml" Azure API Policy Statement? The "json-to-xml" Policy Statement allows you t...
What are the differences of Differences of evaluateTransaction() and submitTransaction() of the fabr...
How to use .NET CLR Types in Azure API Policy? By default, Azure imports many basic .NET CLR (Common...