Validate Azure AD v2 id_token
How to validate the id_token value received from Azure AD v2.0 authentication response?
As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script.
After decoding, you can get all information about the end user from the body component, and trust it without any validation.
But, since the "id_token" is included in the authentication response delivered over the public Internet, you should not trust it and perform a number validation steps:
1. Data structure validation.
2. Data attributes validation.
3. Timestamp attributes validation. This will prevent someone to repost the authentication response to your server script at a later time.
4. "nonce" protection and validation. This will prevent someone to repost the authentication response again immediately.
5. Signature validation. This is to ensure the entire authentication response message has not been modified by someone else. See next tutorial on how to perform "id_token" signature validation.
2019-03-27, 246👍, 0💬
What is Azure API Management Gateway? Azure API Management Gateway is the Azure Web server that serv...
How To Support Multiple-Page Forms in PHP? If you have a long form with a lots of fields, you may wa...
How To Write a String to a File with a File Handle in PHP? If you have a file handle linked to a fil...
How To Create a Directory in PHP? You can use the mkdir() function to create a directory. Here is a ...
How to add images to my EPUB books Images can be added into book content using the XHTML "img" eleme...