Validate Azure AD v2 id_token Signature

Q

How to validate the id_token signature received from Azure AD v2.0 authentication response?

✍: FYIcenter.com

A

You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".

But you can also try to validate the "id_token" signature with your own code logic in these steps:

1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.

Header =
{ "typ": "JWT",
  "alg": "RS256",
  "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
  "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ""
}

2. Get a copy of the Azure AD metadata document:

GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:

{
    "authorization_endpoint": 
       "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize",
    "token_endpoint": 
       "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token",
...
    "jwks_uri":
       "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys",
}

4. Get a copy of Azure AD public keys:

GET https://login.microsoftonline.com/common/discovery/v2.0/keys

5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
            "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
            "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...",
            "e": "AQAB",
            "x5c": [
                "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..."
            ]
        },
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
            "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
            ...
        },
        ...
    ]
}

6. Validate the "Signature" component of the "id_token" with the public key certificate.

 

Azure AD v2 Access Token Request

Validate Azure AD v2 id_token

Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2019-03-27, 251👍, 0💬