Tools, FAQ, Tutorials:
Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/v2.0/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
⇒ Azure AD v2 Access Token Request
2023-09-06, 3565🔥, 1💬
Popular Posts:
How to use urllib.parse.urlencode() function to encode HTTP POST data? My form data has special char...
Where to find EPUB Sample Files? Here is a list of EPUB sample files collected by FYIcenter.com team...
How To Pad an Array with the Same Value Multiple Times in PHP? If you want to add the same value mul...
What Is Azure API Management Service? Azure API Management as a turnkey solution for publishing APIs...
How to access Query String parameters from "context.Request.Url.Que ry"object in Azure API Policy? Q...