ADB2C | Token

Question

Hi
I have the following use case

I get the user to login using b2c custom policy.

Once we get the token, we send it to another system during an api call
We need the other system to check if the token is valid token and that it has not expired.

Is there a way I can achieve this ?

I am using Azure ADB2C

Answer 1

Hi @Abhay Chandramouli ,

If the application needs to validate an ID token or an access token, it should first validate the signature of the token and the issuer against the values in the OpenID discovery endpoint. You need to get the key from the discovery endpoint and need to check the signature, expiry date, issuer and other related claims.
https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{signin_policy_name}/v2.0/.well-known/openid-configuration"

There are many SDK available. You can use the sdk System.IdentityModel.Tokens to implement it. For example

 var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(  
                                   "https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{signin_policy_name}/v2.0/.well-known/openid-configuration?p=B2C_1_test",  
                                    new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever());  
            CancellationToken ct = default(CancellationToken);  
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();  
            var discoveryDocument = await configurationManager.GetConfigurationAsync(ct);  
            var signingKeys = discoveryDocument.SigningKeys;  
            var validationParameters = new TokenValidationParameters  
            {  
                RequireExpirationTime = true,  
                RequireSignedTokens = true,  
                ValidateIssuer = true,  
                ValidIssuer = discoveryDocument.Issuer,  
                ValidateIssuerSigningKey = true,  
                IssuerSigningKeys = signingKeys,  
                ValidateLifetime = true,  
  
            };  
  
 var principal = new JwtSecurityTokenHandler()  
            .ValidateToken(token, validationParameters, out var rawValidatedToken);  

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validate-tokens

Hope this will help.

Thanks,
Shweta

Answer 2

Hi @Abhay Chandramouli ,

Thanks for reaching out.

When another system receives an access token, it must validate the signature to prove that the token is authentic. There are many identity providers which provided introspection endpoint that return information about access token to validate the token at other end.

Unfortunately, as of now we don't have any introspection endpoint to directly validate the token in another system. There is already feedback shared by customers to get the Azure AD introspection endpoint.

An alternative to token introspection is to use a structured token format that is recognized by both the authorization server and the resource server and RFC describes a standardized format for access tokens using JWTs.

As B2C sends the JWT token, another system must validate a few claims in the token to prove that it is valid and not expired. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario.

Hope this will help.

Thanks,
Shweta

---------------------------------------

Please remember to "Accept Answer" if answer helped you.