Tools, FAQ, Tutorials:
Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature
validation using libraries of different programming languages as suggested
in
"Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/v2.0/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
Â
⇒ Azure AD v2 Access Token Request
⇠Validate Azure AD v2 id_token
⇑⇑ OpenID Tutorials
2019-03-27, 1332👍, 0💬
Popular Posts:
What Is Azure API Management Service? Azure API Management as a turnkey solution for publishing APIs...
How to create a navigation file like navigation.xhtml for an EPUB 3.0 book? At least one navigation ...
Where to find tutorials on Using Azure API Management Developer Portal? Here is a list of tutorials ...
How to Build my "sleep" Docker image from the Alpine image? I want the container to sleep for 10 hou...
How to read RSS validation errors at w3.org? If your RSS feed has errors, the RSS validator at w3.or...