This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 54%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
I'm trying to validate an access token in my Python app following this code sample from Microsoft So in line 99 it's decoding the token using jose library:
payload = jwt.decode(
token,
rsa_key,
algorithms=["RS256"],
audience=API_AUDIENCE,
issuer="https://sts.windows.net/" + TENANT_ID + "/"
)
Although at line #72 it says:
"""Determines if the Access Token is valid
"""
It only works if I pass the id token to it. Every time I pass the access token, I get this error:
JWTError: Signature verification failed
I really need to validate the access token because its coming from a request and an API with bearer token authorization. How can I validate the access token instead of id token?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Ghasem Sherafati ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
I found the answer. It was because I was getting the token for Microsoft APIs, whilst what I was needed was to get the Custom API token. I solved it by adding a custom scope to my registered app configurations in Azure portal.
You can check more info in this link.
Hi @Ghasem Sherafati ,
Thanks for reaching out.
You are not able to validate the token as the issuer URL specified in the code sample is the issuer of V1.
The issuer value depends on the Access token version.
Also, if you check OIDC metadata endpoint v1 (https://login.microsoftonline.com/common/.well-known/openid-configuration), issuer will be sts.windows.net and
for OIDC metadata endpoint v2 (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration), issuer will be login.microsoft.com.
To get the V2 access token, update the accessTokenAcceptedVersion value to 2 in the manifest of your registered application .
Ideally when validating an access token, the audience, and issuer mostly validated. This validation happens against the OpenId discovery endpoint. Now the issuer value is usually the same as the one mentioned in the OpenID Discovery endpoint.
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
Update the line 104, the value of issuer to
https://login.microsoftonline.com/{tenantid}/v2.0
along with accessTokenAcceptedVersion to 2 to validate the access token.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
Unfortunately, This is not helpful because this configurations are already there. I'll post the solution I found