Microsoft public keys only validate id token and not access tokens

Ghasem Sherafati 10 Reputation points
2023-06-15T12:18:59.5633333+00:00

I'm trying to validate an access token in my Python app following this code sample from Microsoft So in line 99 it's decoding the token using jose library:

                payload = jwt.decode(
                    token,
                    rsa_key,
                    algorithms=["RS256"],
                    audience=API_AUDIENCE,
                    issuer="https://sts.windows.net/" + TENANT_ID + "/"
                )

Although at line #72 it says:

    """Determines if the Access Token is valid
    """

It only works if I pass the id token to it. Every time I pass the access token, I get this error:

JWTError: Signature verification failed

I really need to validate the access token because its coming from a request and an API with bearer token authorization. How can I validate the access token instead of id token?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

2 answers

Sort by: Most helpful
  1. Ghasem Sherafati 10 Reputation points
    2023-06-22T11:47:37.6366667+00:00

    I found the answer. It was because I was getting the token for Microsoft APIs, whilst what I was needed was to get the Custom API token. I solved it by adding a custom scope to my registered app configurations in Azure portal.

    You can check more info in this link.

    2 people found this answer helpful.
    0 comments No comments

  2. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-06-16T11:18:12.64+00:00

    Hi @Ghasem Sherafati ,

    Thanks for reaching out.

    You are not able to validate the token as the issuer URL specified in the code sample is the issuer of V1.

    The issuer value depends on the Access token version.

    Also, if you check OIDC metadata endpoint v1 (https://login.microsoftonline.com/common/.well-known/openid-configuration), issuer will be sts.windows.net and

    for OIDC metadata endpoint v2 (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration), issuer will be login.microsoft.com.

    To get the V2 access token, update the accessTokenAcceptedVersion value to 2 in the manifest of your registered application .

    User's image

    Ideally when validating an access token, the audience, and issuer mostly validated. This validation happens against the OpenId discovery endpoint. Now the issuer value is usually the same as the one mentioned in the OpenID Discovery endpoint.

    https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

    Update the line 104, the value of issuer to

    https://login.microsoftonline.com/{tenantid}/v2.0
    
    
    

    along with accessTokenAcceptedVersion to 2 to validate the access token.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.