Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,589 questions
Why is my idToken signature failing verification
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 56.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
nocap
0
Reputation points
I am looking to integrate microsoft oauth with my application and am having a difficult time understanding the documentation. I have registered my app to allow for users of all account types (work, school, personal, etc) to be supported.
I generated an idToken in my iOS client using MSALAuthority SDK (using authority = https://login.microsoftonline.com/common) which I am passing to my backend server. I am using node-jose in the backend to verify the token signature. I am grabbing the keys from https://login.microsoftonline.com/common/discovery/v2.0/keys.
When I generated a test idToken with my email (an email within my tenant directory), the token signature is verified. However, I tested with a normal personal account and a separate school account (associated with a different tenant) and those idTokens were not validated. I saw that the kid claim matched the kids found from the public keys I'm using.
Here are the kid values I'm seeing:
- my email:
T1St-dLTvyWRgxB_676u8krXS-I - personal account:
XouXLYQ1Tip5odYajiCtFVgVaEs - school account:
T1St-dLTvyWRgxB_676u8krXS-I
I believe I'm using the correct public keys and have implemented node-jose properly. Could anyone provide some insight into why these idToken signatures are not verified? Even when I input the tokens into https://jwt.davetonge.co.uk/ (JSON web token verifier), it says it's able to find a matching key but the signature is not verified. Any help is appreciated, thanks!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Navya 10,220 Reputation points Microsoft Vendor2023-12-06T06:44:54.9933333+00:00 Hi@nocap
Thank you for posting this in Microsoft Q&A.
I understand you are having issue when the signature of an IdToken generated using MSALAuthority SDK in their iOS client. When you tested with a normal personal account and a separate school account (associated with a different tenant) and those IDTokens were not validated.
This common endpoint
https://login.microsoftonline.com/commonallows work and school accounts or personal Microsoft accounts.
For more information: https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya. -
nocap 0 Reputation points
2023-12-06T15:01:09.15+00:00 Hello, thanks for your response. I am already using the
/commonauthority you listed to generate the idToken but the signature isn't valid. The token claims are all correct as expected, but I'm not sure why the signature isn't valid. I am trying again and it seems all account types aren't working (school accounts, personal accounts, and my directory). Do you have any insight into why that might be?Am I using the correct SDK library for my Entra application? I've used both MSALAuthority and MSALAADAuthority and they both return idTokens with invalid signatures
-
Navya 10,220 Reputation points Microsoft Vendor
2023-12-07T10:26:58.6466667+00:00 Hi@nocap ,
This endpoint
https://login.microsoftonline.com/commonsupports both Work and School accounts or personal Microsoft Accounts.I have reproduced the same scenarios in my environment. My IDtokens got verified into jwt.ms. Below is my Id_Token kid values:
Work and School Account: T1St-dLTvyWRgxB_676u8krXS-I
Personal Microsoft Account: XouXLYQ1Tip5odYajiCtFVgVaEs
I Request an ID token with below URL.https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=Application_Id &response_type=id_token &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient &response_mode=fragment &scope=openid &nonce=abcdeTested in jwt.ms, signature got verified.
Try to validate your Id_tokens in jwt.msf you are still unable to verify, please send us an email on azcommunity [at] Microsoft [dot] com referencing this issue with a subject line "ATTN: Navya" along with you Azure subscription id and we will help you with alternative support options on this.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya. -
nocap 0 Reputation points
2023-12-07T14:48:50.5433333+00:00 Hi, yes I am aware of jwt.ms but it does not tell you if your signature is valid. You can test this by resubmitting the token with random text appended to the end of it - it shows the same preview (even when refreshing).
I am able to generate a token that has a header and valid payload claims, but the issue is an incorrect signature. I'm unsure if I'm generating it incorrectly or not validating it correctly. Please advise. For context, I was able to generate a valid idToken using the tutorial web app code. I'm not sure why my iOS code is failing
jwt.ms does not help as it only decodes the token and does not verify it. I have testing my idToken with https://jwt.davetonge.co.uk/, jwt.io, and node-jose. All 3 have shown that the idTokens do not have a verified signature. Do you have any advice on if I'm generating incorrectly in my client? I'm unsure of where it's creating this error
I tried to send you an email with an example of the idToken I'm getting but I don't think it was able to send. I got the following reply: "The group mtmvp only accepts messages from people in its organization or on its allowed senders list, and your email address isn't on the list."
Thanks for the help!
-
Navya 10,220 Reputation points Microsoft Vendor
2023-12-18T04:36:20.5933333+00:00 Hi @nocap ,
I tested my ID token with https://jwt.davetonge.co.uk/, jwt.io, and I noticed that my ID tokens had a verified signature. As I mentioned earlier using this endpoint to get Id_Token
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?along with redirect_uri,scope,response_type,response_mode and nonce parameter.Could you please share the URL where you are using the iOS MSALAuthority SDK to request an idToken?It would be beneficial for me to provide you with detailed assistance.
-
Sign in to comment
Sign in to answer