Tools, FAQ, Tutorials:
Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/v2.0/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
⇒ Azure AD v2 Access Token Request
2023-09-06, 3220🔥, 1💬
Popular Posts:
What are "*..." and "**..." Wildcard Parameters in Function Definitions? If you want to define a fun...
How to add request body examples to my Azure API operation to make it more user friendly? If you hav...
How to use the Atom Online Validator at w3.org? w3.org feed validation service is provided at http:/...
How to add request URL Template Parameters to my Azure API operation 2017 version to make it more us...
How to add request URL Template Parameters to my Azure API operation 2017 version to make it more us...