Tools, FAQ, Tutorials:
Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature
validation using libraries of different programming languages as suggested
in
"Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/v2.0/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
⇒ Azure AD v2 Access Token Request
2023-09-06, 2301👍, 1💬
Popular Posts:
How to create a new API on the Publisher Dashboard of an Azure API Management Service? If you are ne...
How to use the RSS Online Validator at w3.org? You can follow this tutorial to learn how to use the ...
How To Pad an Array with the Same Value Multiple Times in PHP? If you want to add the same value mul...
How to detect errors occurred in the json_decode() call? You can use the following two functions to ...
How To Create an Array with a Sequence of Integers or Characters in PHP? The quickest way to create ...