Can't validate azure ad token in node js web api (Non b2c)

Saravana 20

I have registered two app in azure ad (Non b2c)

One for client application and one for web api

I have created a scope in web api app registration and added the scope using add permission in client app registration

I can able to sign in and sign out in angular using msal v2 library with the example code given by microsoft(angular v14 rxjs v7)

and i can able to send the token in authorization header. But i can't verify the token. It always showing authentication failed due to invalid token. The package i used in passport-azure-ad.

So i try to validate token using jwt.io. In order to do this i fetched public keys and used it. But still invalid signature issue.

Configuration i used, Client applcation; ClientId - (used client app client id) tenantId

web api application clientID (used web api client id) audience (used web api registration application uri id)

And i checked it through many documentation. microsoft only providing documentation for b2c login. I want to implement non b2c azure ad.

I currently using free trial account. is token verification will not work if i use free account?

waiting for your reply

thanks in advance

Accepted answer

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-05-07T03:14:03.06+00:00
Hello @Saravana , the token provided does not look like an access token, it lacks the scp (scope) claim and targets the Microsoft Graph resource (00000003-0000-0000-c000-000000000000) thus looks more like an ID token. ID tokens are not meant to be used against apis. You need to request an access token passing one of your api scopes. Eg (considering 3e313981-118f-43c4-93e9-7cbda6a5c742 it's your api app/client id):

api://3e313981-118f-43c4-93e9-7cbda6a5c742/scope1

api://3e313981-118f-43c4-93e9-7cbda6a5c742/.default (requests all scopes)

Follows a sample on how to setup automatic access token request per url using the MSAL Interceptor. Take a look to the protectedResourceMap property:

import { NgModule } from '@angular/core'; import { HTTP_INTERCEPTORS, HttpClientModule } from "@angular/common/http"; import { AppComponent } from './app.component'; import { MsalModule, MsalRedirectComponent, MsalGuard, MsalInterceptor } from '@azure/msal-angular'; // Import MsalInterceptor import { InteractionType, PublicClientApplication } from '@azure/msal-browser'; @NgModule({ declarations: [ AppComponent, ], imports: [ MsalModule.forRoot( new PublicClientApplication({ // MSAL Configuration }), { // MSAL Guard Configuration }, { // MSAL Interceptor Configurations interactionType: InteractionType.Redirect, protectedResourceMap: new Map([ ['one_of_your_api_endpoints', ['one_of_your_api_scopes'] /*['one_scope','other_scope','etc'*/] ]) }) ], providers: [ { provide: HTTP_INTERCEPTORS, // Provides as HTTP Interceptor useClass: MsalInterceptor, multi: true }, MsalGuard ], bootstrap: [AppComponent, MsalRedirectComponent] }) export class AppModule { }

Regarding jwt.io, the invalid signature is well known issue when trying to validate Azure AD tokens. Switch to https://jwt.ms/ for token validation. Keep in mind some tokens are not meant to be decoded/decrypted.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution
Please sign in to rate this answer.
Saravana 20 Reputation points

2023-05-07T05:41:25.6266667+00:00

As you suggested i have checked "Access tokens (used for implicit flows)" and unchecked id token in client app registration -> authentication menu

The below is the access_token found in response (the http request after clicking the account - https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token)

the decoded data (get directly from the post request response using developer console)

{ "aud": "api://cd85d7e3-55e1-4b87-ac0c-dc8f2789e442", "iss": "https://sts.windows.net/7ebb2ad9-1bdb-47ea-a752-f19ac9d74085/", "iat": 1683435900, "nbf": 1683435900, "exp": 1683441439, "acr": "1", "aio": "AYQAe/8TAAAAGmCRhzThB11BKzvykA2BPYIDLa8CoAx78nn4h6EQlrhV5p7Nb0jMjXV6HUFb3F91pcT6Rshd5m5zJ9dnxtonVz1E/PpSuhI5f3lImLxD6R6FVQ7aHQHk61lBnNzKwj6x52Tb9UJBiwxAYy5Jpj6rCNfvhg6jz5bRwC88Ro3TOY8=", "amr": [ "pwd" ], "appid": "9e143fc0-2f15-4618-b3c8-d146cc0d3d41", "appidacr": "0", "email": "subbarayalugovindharajalu@outlook.com", "family_name": "Govindharajalu", "given_name": "Subbarayalu", "idp": "live.com", "ipaddr": "106.221.18.97", "name": "Subbarayalu Govindharajalu", "oid": "33a7136c-faee-4b08-9105-7e656788af1d", "rh": "0.AVYA2Sq7ftsb6kenUvGayddAhePXhc3hVYdLrAzcjyeJ5EKfABA.", "scp": "User.Access", "sub": "U5X1IO2QzS6nwPKT5Kszb4z5PLFYXRBaAQLLUviEV9M", "tid": "7ebb2ad9-1bdb-47ea-a752-f19ac9d74085", "unique_name": "live.com#subbarayalugovindharajalu@outlook.com", "uti": "K-REmVfEA0mwQE7SewZoAA", "ver": "1.0" }

I can see audience and scope has value

But when i make some other http request the MsalGuard automatically appending bearer token in authorization header

but when decoding that it always shows invalid signature and the decoded data are

"{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7ebb2ad9-1bdb-47ea-a752-f19ac9d74085/","iat":1683436212,"nbf":1683436212,"exp":1683441093,"acct":0,"acr":"1","aio":"AWQAm/8TAAAAZu6VufWnsX1eJqyt3m45,"b79fbf4d-3ef9-4689-8143-76b194e85509"],"xms_st":{"sub":"Sgnkz7m5XTZBMD2o0SAJym_98gc_DUPInEF1NGHUFck"},"xms_tcdt":168317334"

As you suggested i used https://jwt.ms/

but it showing blank (used the token that passed in header by msalguard)

Kindly help me point out what am doing wrong with your suggestion and experience

The below access_token is in the post request response

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJhcGk6Ly9jZDg1ZDdlMy01NWUxLTRiODctYWMwYy1kYzhmMjc4OWU0NDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZWJiMmFkOS0xYmRiLTQ3ZWEtYTc1Mi1mMTlhYzlkNzQwODUvIiwiaWF0IjoxNjgzNDM3NjY5LCJuYmYiOjE2ODM0Mzc2NjksImV4cCI6MTY4MzQ0MjkyMCwiYWNyIjoiMSIsImFpbyI6IkFZUUFlLzhUQUFBQVJLbVEvRlBweUVqNUdTd1NxUlV2cFdvWXlVTnJESWlPOFJrQ3BDTkpjMlVZSE1vbmM5YnVTZnMzSHNWajVoMFFsSFhyUW5WK0tjaUNMNGFNOEZTMVZtYVFaRjlkN292RmNvMzZxWW9GZmE5TXhORDFkTy9MSWdjMStLTi9xVzYrNlFzUVFVQ1pGOGJkMS9LYkZ5c2pyQU05UU1HalJFU3dvNVQzK2FjTExCZz0iLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiOWUxNDNmYzAtMmYxNS00NjE4LWIzYzgtZDE0NmNjMGQzZDQxIiwiYXBwaWRhY3IiOiIwIiwiZW1haWwiOiJzdWJiYXJheWFsdWdvdmluZGhhcmFqYWx1QG91dGxvb2suY29tIiwiZmFtaWx5X25hbWUiOiJHb3ZpbmRoYXJhamFsdSIsImdpdmVuX25hbWUiOiJTdWJiYXJheWFsdSIsImlkcCI6ImxpdmUuY29tIiwiaXBhZGRyIjoiMTA2LjIyMS4xOC45NyIsIm5hbWUiOiJTdWJiYXJheWFsdSBHb3ZpbmRoYXJhamFsdSIsIm9pZCI6IjMzYTcxMzZjLWZhZWUtNGIwOC05MTA1LTdlNjU2Nzg4YWYxZCIsInJoIjoiMC5BVllBMlNxN2Z0c2I2a2VuVXZHYXlkZEFoZVBYaGMzaFZZZExyQXpjanllSjVFS2ZBQkEuIiwic2NwIjoiVXNlci5BY2Nlc3MiLCJzdWIiOiJVNVgxSU8yUXpTNm53UEtUNUtzemI0ejVQTEZZWFJCYUFRTExVdmlFVjlNIiwidGlkIjoiN2ViYjJhZDktMWJkYi00N2VhLWE3NTItZjE5YWM5ZDc0MDg1IiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSNzdWJiYXJheWFsdWdvdmluZGhhcmFqYWx1QG91dGxvb2suY29tIiwidXRpIjoiMEl3cFl0S216MHVtbFY4ak5wdURBQSIsInZlciI6IjEuMCJ9.RfoGkDiQkKW4JKCrD0J4Jz_ciJYwYhGR6W5h40DfExvBEfaAcmDQW4BGenf6zHfhqReetA3tTvYK9IPJvWKzn22DNr47sqiXHiPj2mrYBTkis9PNofoTjvKjC0AfwgfLQQmzsGAAcJilBzUgN3iLB-OlTYqNiFaRnf5u3lxu8sUQQ_7DrKbNqEJppNkkLIfioLUKcrC_-JdJ38XjYuU_tdljDJkqkqgghLAJyzDQ-BLnb_cUk5qRhfXXYR5fFZca0_jwU3R-tjPlOx4Jxs0cAAGjNvCwQKVnBDfbsFOkQt_gV9jKrtZ3IUl1h6MqeO60cFm9Mv5cDBr9bIPfggvuZg

The below token in in the authorization header (bearer)

eyJ0eXAiOiJKV1QiLCJub25jZSI6ImZBYU5IeUJ3WDRCcC1udUNXV2REejVDWENjd09pQ05UY3NUbWFydUhUM00iLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZWJiMmFkOS0xYmRiLTQ3ZWEtYTc1Mi1mMTlhYzlkNzQwODUvIiwiaWF0IjoxNjgzNDM3NzA2LCJuYmYiOjE2ODM0Mzc3MDYsImV4cCI6MTY4MzQ0MjM4NSwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFXUUFtLzhUQUFBQTBnL3B4ZDlScFBMUHZPVjlTcWhS…LCJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXSwieG1zX3N0Ijp7InN1YiI6IlNnbmt6N201WFRaQk1EMm8wU0FKeW1fOThnY19EVVBJbkVGMU5HSFVGY2sifSwieG1zX3RjZHQiOjE2ODMxNzMzNDl9.FM7qC5sO99WNCTMmqQHrtVhPo9zMDh6KTF_kqP_Bnigdz2lJ0rC_GrbVZFQ2EQVGYNLvj2Vxlkp1Zxs0hGQqNDGAjmgDl37NKW-U63pBS2w8eYjYHc6BTEqcR5nTTn7cX3L6mx78le3RpU2WzLyDtCdFyPOwFQLnqVTZVv_ODzKXt_8yZHuWXImdJqJn8uOysJ_FRpBog1UHsOD2Bp3heYi_6Zk6dNzf8CiUPAQEdyejbXWws4oJFXYfqp59e_U41FQHhyplOsW4rBujcbh0lZQlRRb4JSRnOflZgWAcvOEBYmiFBer8uRuHKZTsnbXE5D0WItpqQfY64QRRuqEu7g

The header token is communicating well with https://graph.microsoft.com/v1.0/me and retrieving data successfully(What am trying to say is the header token is working with microsfot but can't verify the signature)

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-05-08T13:45:11.68+00:00

Thanks for accepting my question. It would be great if you can share what was the root cause of your issue.

Saravana 20 Reputation points

2023-05-09T01:26:43.5533333+00:00

Please check the following for the root caused may occur if you face the same issue.

Issuer details - some documentation says issuer to use as 'https://login.microsft......' and 'https://sts.windows.....'

Please use what you need depend on the type and version you are using.
in my case i used 'https://stc.windows..' and remember to put the front slash at the end it also cause error

And Please do that configuration properly. if configuration is not right the problem will never fix if you keep altering code.

Use ' loggingNoPII: false' when configuring api configuration it will help to put more advanced log that can be used to debug
Sign in to comment

3 additional answers

Konstantinos Passadis 17,286 Reputation points

2023-05-06T08:19:52.84+00:00
Hello @Saravana!

Welcome to Microsoft QnA!

For the token issue i suggest :

Ensure that the token is properly formatted according to the OpenID Connect (OIDC) specification. You can check this by decoding the token on jwt.io and verifying that it contains the required claims (e.g., issuer, audience, expiration time, etc.).

Check that the token was issued by the correct Azure AD tenant. You can verify this by checking the "iss" (issuer) claim in the token.

Ensure that your app registration is configured to issue tokens with the correct signing algorithm. By default, Azure AD issues tokens signed with the RS256 algorithm. If you are using a different algorithm, make sure that your token validation library supports it.

Check that the token signature is valid. You can do this by verifying the token signature using the public key associated with the signing certificate. You can obtain the public key from the Azure AD metadata endpoint (e.g., https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys).

If you are using the passport-azure-ad library for token validation, ensure that the library is configured correctly. Make sure that the "audience" option is set to the client ID of your web API app registration and the "issuer" option is set to the issuer URL of your Azure AD tenant.

Assisting Source : ChatGPT Subscription

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Please sign in to rate this answer.
Saravana 20 Reputation points

2023-05-06T08:47:50.7033333+00:00

I pretty sure client application configured correctly. because am using msal v2 library, angular v14 rxjs 7 example that is given by from microsft end.

I used this for my client application - https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-angular-v2-samples/angular14-rxjs7-sample-app

and updated client id, tenant id for using non b2c single tenant.

It sending token with the api request.

I also tried to verify the token using jwt.io
and followed the below step

First decode the token using jwt.io and get the 'kid'

Then requesting a public using the link that you sent

In the list of public key find the key that matches with my 'kid' in the token header

then used x5c string to verify the token but it still showing invalid signature in jwt.io

Could you process the input i sent and give me a good solution and your suggestion

and if you need any data like my clientid, token that attached in authorization header and public key that am receiving through endpoint, am willing to share the any of the details( am will create test details of the all and will send it to you. so there is no reason to concern about security)
Sign in to comment
Konstantinos Passadis 17,286 Reputation points

2023-05-06T09:16:08+00:00
Hello @Saravana!

Can you also verify this :

Make sure that you are using the correct public key to verify the token. Double-check that the "kid" value in the token header matches the "kid" value in the public key.

Ensure that the public key is being used in the correct format. Azure AD provides the public key in an X.509 certificate format, which may need to be converted to the correct format for your verification library.

Check that the clock on your server is synchronized with the clock on the machine generating the token. If the clocks are out of sync, it can cause token signature verification to fail.

Make sure that the library you are using to verify the token supports the algorithm used to sign the token. Azure AD supports several algorithms for token signing, including RS256, RS384, RS512, and HS256. If your library does not support the algorithm used by Azure AD, it will not be able to verify the token signature.

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Please sign in to rate this answer.
Saravana 20 Reputation points

2023-05-06T09:53:31.27+00:00

Make sure that you are using the correct public key to verify the token. Double-check that the "kid" value in the token header matches the "kid" value in the public key.

Ans: yes am using right public key that matches with 'kid' that passed in token header

Ensure that the public key is being used in the correct format. Azure AD provides the public key in an X.509 certificate format, which may need to be converted to the correct format for your verification library.

Ans: am using passport-azure-ad format. Tell me if i need to convert it into something. am using bearerstrategy to validate token in node js api.

Check that the clock on your server is synchronized with the clock on the machine generating the token. If the clocks are out of sync, it can cause token signature verification to fail.

Ans: My client side windows using IST 5:30+ timezone. Can you tell me the method to check what timezone is azure ad generating?

And is there issue with different timezone. what if user from different country accessed the application. would't mean that it will work on one place and not work on any other place?

Make sure that the library you are using to verify the token supports the algorithm used to sign the token. Azure AD supports several algorithms for token signing, including RS256, RS384, RS512, and HS256. If your library does not support the algorithm used by Azure AD, it will not be able to verify the token signature.

Ans: Am using passport-azure-ad package that provided by microsft . so am sure it will support the algorithm

I tried using verify my token that is passed in authorization header using. it always showing signature verification failed. I will share the below details. pls check if it can be verified your end. And let me know if i make any mistake while verifying

Token that passed in authorization header(Bearer)

eyJ0eXAiOiJKV1QiLCJub25jZSI6IkU5eFpFbXIwck5hRUVmLXUtaTJ5LTN2LVh3bm1YdlR5Um1NblpzUGdMN1kiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZWJiMmFkOS0xYmRiLTQ3ZWEtYTc1Mi1mMTlhYzlkNzQwODUvIiwiaWF0IjoxNjgzMzY1NTI3LCJuYmYiOjE2ODMzNjU1MjcsImV4cCI6MTY4MzM3MDA1MywiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFXUUFtLzhUQUFBQTRaRVBYZXpMekdNbFBmdFVWYmZn…LCJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXSwieG1zX3N0Ijp7InN1YiI6IlNnbmt6N201WFRaQk1EMm8wU0FKeW1fOThnY19EVVBJbkVGMU5HSFVGY2sifSwieG1zX3RjZHQiOjE2ODMxNzMzNDl9.ezZJYFhKZEuCLwKvXT2KuClyqQyd9KEKdjvDzXgJxpESdsOstI0Os9Rg37WO658jstzjXJNfWv4bS9K_TLXRadQ1_I0NFGAPwTHRoLv466kM-w1b6QLYNwXUtDXWv3Hyyx2pKZz2fbFJrIj3Fn6SufWlHxwwn3NqoTI-5lmY8W__JCMUrXiYuL1-MXpukB1tkDsQHekz95x4E9GLFJQymMS7MhEtTg-Xwqmgo7B5kvvTbR6MMq4CuCvhJ_cts92z2SFbe7ONVQxPcp7bcPwoh_SJG9GFEFePet-qzZxDUtB1GTT_cLlnlfHcWp5Uw56BDm2_FpgA38H_h06mIT1ZkQ

Decoded token header

{ "typ": "JWT", "nonce": "E9xZEmr0rNaEEf-u-i2y-3v-XwnmXvTyRmMnZsPgL7Y", "alg": "RS256", "x5t": "-KI3Q9nNR7bRofxmeZoXqbHZGew", "kid": "-KI3Q9nNR7bRofxmeZoXqbHZGew" }

Fetched public key that matches with 'kid' using the link that you gave with tenant id

{ "kty": "RSA", "use": "sig", "kid": "-KI3Q9nNR7bRofxmeZoXqbHZGew", "x5t": "-KI3Q9nNR7bRofxmeZoXqbHZGew", "n": "tJL6Wr2JUsxLyNezPQh1J6zn6wSoDAhgRYSDkaMuEHy75VikiB8wg25WuR96gdMpookdlRvh7SnRvtjQN9b5m4zJCMpSRcJ5DuXl4mcd7Cg3Zp1C5-JmMq8J7m7OS9HpUQbA1yhtCHqP7XA4UnQI28J-TnGiAa3viPLlq0663Cq6hQw7jYo5yNjdJcV5-FS-xNV7UHR4zAMRruMUHxte1IZJzbJmxjKoEjJwDTtcd6DkI3yrkmYt8GdQmu0YBHTJSZiz-M10CY3LbvLzf-tbBNKQ_gfnGGKF7MvRCmPA_YF_APynrIG7p4vPDRXhpG3_CIt317NyvGoIwiv0At83kQ", "e": "AQAB", "x5c": [ "MIIDBTCCAe2gAwIBAgIQGQ6YG6NleJxJGDRAwAd/ZTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMTAwMjE4MDY0OVoXDTI3MTAwMjE4MDY0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSS+lq9iVLMS8jXsz0IdSes5+sEqAwIYEWEg5GjLhB8u+VYpIgfMINuVrkfeoHTKaKJHZUb4e0p0b7Y0DfW+ZuMyQjKUkXCeQ7l5eJnHewoN2adQufiZjKvCe5uzkvR6VEGwNcobQh6j+1wOFJ0CNvCfk5xogGt74jy5atOutwquoUMO42KOcjY3SXFefhUvsTVe1B0eMwDEa7jFB8bXtSGSc2yZsYyqBIycA07XHeg5CN8q5JmLfBnUJrtGAR0yUmYs/jNdAmNy27y83/rWwTSkP4H5xhihezL0QpjwP2BfwD8p6yBu6eLzw0V4aRt/wiLd9ezcrxqCMIr9ALfN5ECAwEAAaMhMB8wHQYDVR0OBBYEFJcSH+6Eaqucndn9DDu7Pym7OA8rMA0GCSqGSIb3DQEBCwUAA4IBAQADKkY0PIyslgWGmRDKpp/5PqzzM9+TNDhXzk6pw8aESWoLPJo90RgTJVf8uIj3YSic89m4ftZdmGFXwHcFC91aFe3PiDgCiteDkeH8KrrpZSve1pcM4SNjxwwmIKlJdrbcaJfWRsSoGFjzbFgOecISiVaJ9ZWpb89/+BeAz1Zpmu8DSyY22dG/K6ZDx5qNFg8pehdOUYY24oMamd4J2u2lUgkCKGBZMQgBZFwk+q7H86B/byGuTDEizLjGPTY/sMms1FAX55xBydxrADAer/pKrOF1v7Dq9C1Z9QVcm5D9G4DcenyWUdMyK43NXbVQLPxLOng51KO9icp2j4U7pwHP" ], "issuer": "https://login.microsoftonline.com/7ebb2ad9-1bdb-47ea-a752-f19ac9d74085/v2.0" },

Please try to verify the signature from your end and let me know if i made any mistake(if it verified pls tell me the steps, so that i can try it myself)

Konstantinos Passadis 17,286 Reputation points

2023-05-06T10:47:02.4+00:00

Hello

No the clock issue is for Azure AD generates tokens based on the timezone of the server where the tenant is hosted. You can check the timezone of your Azure AD tenant by going to the Azure portal and selecting the Azure Active Directory service. Then, go to the Properties tab and check the Timezone setting. If you are not sure which timezone to use for validation, you can convert the UTC time in the token to your local timezone for verification. AND

No it wont matter the end user ! It is just the generation-validation procedure i am asking for!

If you are still having issues verifying the token signature, you can try using a different validation library or method. For example, you can try using the Microsoft.IdentityModel.Tokens library for .NET applications or the jose library for Node.js.

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards

Saravana 20 Reputation points

2023-05-06T11:34:51.69+00:00

There is no such option as timezone in properties

also i have requested that, can you verify the token or not?
Sign in to comment
Konstantinos Passadis 17,286 Reputation points

2023-05-06T13:35:36.3066667+00:00

Hello @Saravana!

Yes i can do that later today!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment