Validate Azure AD v1 id_token Signature
How to validate the id_token signature received from Azure AD v1.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature
validation using libraries of different programming languages as suggested
in
"Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header =
{ "typ": "JWT",
"alg": "RS256",
"x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
"kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ""
}
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{
"authorization_endpoint":
"https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize",
"token_endpoint":
"https:\/\/login.microsoftonline.com\/common\/oauth2\/token",
...
"jwks_uri":
"https:\/\/login.microsoftonline.com\/common\/discovery\/keys",
}
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
"x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
"n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...",
"e": "AQAB",
"x5c": [
"MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..."
]
},
{
"kty": "RSA",
"use": "sig",
"kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
"x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
...
},
...
]
}
6. Validate the "Signature" component of the "id_token" with the public key certificate.
2019-01-15, 548👍, 0💬
Related Topics:
