Validate Azure AD v2 id_token Signature

Q

How to validate the id_token signature received from Azure AD v2.0 authentication response?

✍: FYIcenter.com

A

You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".

But you can also try to validate the "id_token" signature with your own code logic in these steps:

1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.

Header =
{ "typ": "JWT",
  "alg": "RS256",
  "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
  "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ""
}

2. Get a copy of the Azure AD metadata document:

GET https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:

{
    "authorization_endpoint": 
       "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize",
    "token_endpoint": 
       "https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token",
...
    "jwks_uri":
       "https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys",
}

4. Get a copy of Azure AD public keys:

GET https://login.microsoftonline.com/common/discovery/v2.0/keys

5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
            "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
            "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...",
            "e": "AQAB",
            "x5c": [
                "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..."
            ]
        },
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
            "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
            ...
        },
        ...
    ]
}

6. Validate the "Signature" component of the "id_token" with the public key certificate.

⇒ Azure AD v2 Access Token Request

⇐ Validate Azure AD v2 id_token

⇑ Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2023-09-06, ∼4266🔥, 1💬

Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response? You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article" .... 2023-09-06, ∼4267🔥, 1💬

💬 2023-09-06 rjurado01: You safe my life.

Access Token Response Received from Azure AD v2
How to process the access token response received from Azure AD v2.0 service? After Azure AD v2.0 service receives an access token request from your Web server script, it will process the request and returns the access token response directly. In order for your Web server script to process the acces... 2019-03-27, ∼3396🔥, 0💬

Azure AD v2 id_token Decoded Example
Where to find an Azure AD v2.0 id_token decoded example? Here is an example of an "id_token" value returned from Azure AD v2.0 after Base64URL decoded: Header = { "typ": "JWT", "alg": "RS256", "kid": "1LTMzakihiRla_8z2BEJVXeWMqo" } Body = { "ver": "2.0", "iss": "https://login.microsoftonline .com/918... 2019-04-03, ∼3020🔥, 0💬

Validate Azure AD v2 id_token
How to validate the id_token value received from Azure AD v2.0 authentication response? As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script. After decoding, you can get all information about t... 2019-03-27, ∼2805🔥, 0💬

Azure AD v2 Access Token Request
What is the Azure AD v2.0 Access Token Request? If you want to implement the authentication code flow to integrate your application with Azure AD v2.0, you need to have a good understanding of the Azure AD v2.0 access token request, which is the second call you have to make in the authentication cod... 2019-03-27, ∼2228🔥, 0💬

Decode Azure AD v2 id_token
How to decode the id_token value received from Azure AD v2.0 authentication response? According to the "RFC 7519 - JWT (JSON Web Token)" standard, the "id_token" value received from Azure AD authentication response should be decoded as below: Splitting the encoded string into 3 components: Header, B... 2019-04-03, ∼2209🔥, 0💬

Azure AD v2 id_token Is Smaller
Where Azure AD v2.0 id_token is smaller than v1.0? Azure AD v2.0 id_token is smaller than v1.0, because the number of default claims (properties) are reduced in Azure AD v2.0 id_tokens as shown in the table below: Azure AD v2.0 Azure AD v1.0 ver=2.0 ver=1.0 rh iss iss sub sub aud aud exp exp iat iat... 2019-04-03, ∼1829🔥, 0💬

Initiate Azure AD v2 Access Token Request
How to initiate Azure AD v2.0 Access Token Request? The Azure AD v2.0 Access Token Request should be initiated from your application Web server. This is why the authentication code flow is more secure than the implicit flow, because the "id_token" value will be received by Web server directly from t... 2019-03-27, ∼1829🔥, 0💬

Azure AD v2 Access Token Request Test Page
How to build an Azure AD 2.0 Access Token Request Test page? The Access Token Request is the second call to the Azure AD service in the authentication code flow to retrieve the id_token with the authentication code received from the first call. You can build a simple Web form page to test different ... 2019-03-27, ∼1815🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.