Tools, FAQ, Tutorials:
Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response?
✍: FYIcenter.com
You can use some existing libraries to perform the Azure AD "id_token" signature
validation using libraries of different programming languages as suggested
in
"Azure Active Directory access tokens" article".
But you can also try to validate the "id_token" signature with your own code logic in these steps:
1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.
Header = { "typ": "JWT", "alg": "RS256", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"" }
2. Get a copy of the Azure AD metadata document:
GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:
{ "authorization_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize", "token_endpoint": "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token", ... "jwks_uri": "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys", }
4. Get a copy of Azure AD public keys:
GET https://login.microsoftonline.com/common/discovery/v2.0/keys
5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.
{ "keys": [ { "kty": "RSA", "use": "sig", "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ", "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..." ] }, { "kty": "RSA", "use": "sig", "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0", ... }, ... ] }
6. Validate the "Signature" component of the "id_token" with the public key certificate.
⇒ Azure AD v2 Access Token Request
2023-09-06, 3386🔥, 1💬
Popular Posts:
How to use the "set-body" Policy Statement for an Azure API service operation? The "set-body" Policy...
How to create Hello-3.1.epub with WinRAR? I have all required files to create Hello-3.1.epub. To cre...
How to send an FTP request with the urllib.request.urlopen() function? If an FTP server supports ano...
How to create a navigation file like navigation.xhtml for an EPUB 3.0 book? At least one navigation ...
How to reinstall npm with a node version manager? I am getting permission errors with the current ve...