AZURE AD : Check access token validity

Dylan Deleplanque 0 Reputation points
2023-12-04T13:23:45.3433333+00:00

Hello,

I have an application using Microsoft AzureAD for login. When i am logged, i store the access token and i pass it in the header to call my api.

I would like to know the best way for check if the access token is valid or not.

Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,394 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,567 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,531 Reputation points Microsoft Employee
    2023-12-08T04:28:57.76+00:00

    Hi @Dylan Deleplanque ,

    Thanks for reaching out.

    An access token contains claims that you can use in Azure Active Directory to identify the granted permissions to your APIs. For validation, developers can also decode JWTs using jwt.ms and perform several checks against the claims in the token as:

    • audience - Verifies that the token was intended to be given to your application. Access tokens are created based on the audience of the token,
    meaning the application that owns the scopes in the token.
    • not before and expiration time - Verifies that the token hasn't expired.
    • issuer - Verifies that the token was issued to your application by Azure AD.
    • nonce - A strategy for token replay attack mitigation.

    When your internal application receives an access token, it must validate the signature to prove that the token is authentic. Your application/API must also validate a few claims in the token to prove that it is valid.

    To Verify the JWT token:

    1. Verify that the JWT contains three segments, separated by two period ('.') characters.
    2. Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.
    3. Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

    To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
    You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration and verify against the private key generated by Azure AD token.

    If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.