Can't validate azure ad token in node js web api (Non b2c)

Saravana 20 Reputation points
2023-05-06T05:39:49.4266667+00:00

I have registered two app in azure ad (Non b2c)

One for client application and one for web api

I have created a scope in web api app registration and added the scope using add permission in client app registration

I can able to sign in and sign out in angular using msal v2 library with the example code given by microsoft(angular v14 rxjs v7)

and i can able to send the token in authorization header. But i can't verify the token. It always showing authentication failed due to invalid token. The package i used in passport-azure-ad.

So i try to validate token using jwt.io. In order to do this i fetched public keys and used it. But still invalid signature issue.

Configuration i used, Client applcation; ClientId - (used client app client id) tenantId

web api application clientID (used web api client id) audience (used web api registration application uri id)

And i checked it through many documentation. microsoft only providing documentation for b2c login. I want to implement non b2c azure ad.

I currently using free trial account. is token verification will not work if i use free account?

waiting for your reply

thanks in advance

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,058 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2023-05-07T03:14:03.06+00:00

    Hello @Saravana , the token provided does not look like an access token, it lacks the scp (scope) claim and targets the Microsoft Graph resource (00000003-0000-0000-c000-000000000000) thus looks more like an ID token. ID tokens are not meant to be used against apis. You need to request an access token passing one of your api scopes. Eg (considering 3e313981-118f-43c4-93e9-7cbda6a5c742 it's your api app/client id):

    api://3e313981-118f-43c4-93e9-7cbda6a5c742/scope1

    api://3e313981-118f-43c4-93e9-7cbda6a5c742/.default (requests all scopes)

    Follows a sample on how to setup automatic access token request per url using the MSAL Interceptor. Take a look to the protectedResourceMap property:

    import { NgModule } from '@angular/core';
    import { HTTP_INTERCEPTORS, HttpClientModule } from "@angular/common/http";
    import { AppComponent } from './app.component';
    import { MsalModule, MsalRedirectComponent, MsalGuard, MsalInterceptor } from '@azure/msal-angular'; // Import MsalInterceptor
    import { InteractionType, PublicClientApplication } from '@azure/msal-browser';
    
    @NgModule({
        declarations: [
            AppComponent,
        ],
        imports: [
            MsalModule.forRoot( new PublicClientApplication({
                // MSAL Configuration
            }), {
                // MSAL Guard Configuration
            }, {
                // MSAL Interceptor Configurations
                interactionType: InteractionType.Redirect,
                protectedResourceMap: new Map([ 
                    ['one_of_your_api_endpoints', ['one_of_your_api_scopes'] /*['one_scope','other_scope','etc'*/]
                ])
            })
        ],
        providers: [
            {
                provide: HTTP_INTERCEPTORS, // Provides as HTTP Interceptor
                useClass: MsalInterceptor,
                multi: true
            },
            MsalGuard
        ],
        bootstrap: [AppComponent, MsalRedirectComponent]
    })
    export class AppModule { }
    

    Regarding jwt.io, the invalid signature is well known issue when trying to validate Azure AD tokens. Switch to https://jwt.ms/ for token validation. Keep in mind some tokens are not meant to be decoded/decrypted.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution


3 additional answers

Sort by: Most helpful
  1. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-06T08:19:52.84+00:00

    Hello @Saravana!

    Welcome to Microsoft QnA!

    For the token issue i suggest :

    Ensure that the token is properly formatted according to the OpenID Connect (OIDC) specification. You can check this by decoding the token on jwt.io and verifying that it contains the required claims (e.g., issuer, audience, expiration time, etc.).

    Check that the token was issued by the correct Azure AD tenant. You can verify this by checking the "iss" (issuer) claim in the token.

    Ensure that your app registration is configured to issue tokens with the correct signing algorithm. By default, Azure AD issues tokens signed with the RS256 algorithm. If you are using a different algorithm, make sure that your token validation library supports it.

    Check that the token signature is valid. You can do this by verifying the token signature using the public key associated with the signing certificate. You can obtain the public key from the Azure AD metadata endpoint (e.g., https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys).

    1. If you are using the passport-azure-ad library for token validation, ensure that the library is configured correctly. Make sure that the "audience" option is set to the client ID of your web API app registration and the "issuer" option is set to the issuer URL of your Azure AD tenant.

    Assisting Source : ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards


  2. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-06T09:16:08+00:00

    Hello @Saravana!

    Can you also verify this :

    • Make sure that you are using the correct public key to verify the token. Double-check that the "kid" value in the token header matches the "kid" value in the public key.
      
    • Ensure that the public key is being used in the correct format. Azure AD provides the public key in an X.509 certificate format, which may need to be converted to the correct format for your verification library.
      
    • Check that the clock on your server is synchronized with the clock on the machine generating the token. If the clocks are out of sync, it can cause token signature verification to fail.
      
    • Make sure that the library you are using to verify the token supports the algorithm used to sign the token. Azure AD supports several algorithms for token signing, including RS256, RS384, RS512, and HS256. If your library does not support the algorithm used by Azure AD, it will not be able to verify the token signature.
      

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards


  3. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-06T13:35:36.3066667+00:00

    Hello @Saravana!

    Yes i can do that later today!

    User's image

    0 comments No comments