Why is my idToken signature failing verification

nocap 0 Reputation points

I am looking to integrate microsoft oauth with my application and am having a difficult time understanding the documentation. I have registered my app to allow for users of all account types (work, school, personal, etc) to be supported.

I generated an idToken in my iOS client using MSALAuthority SDK (using authority = https://login.microsoftonline.com/common) which I am passing to my backend server. I am using node-jose in the backend to verify the token signature. I am grabbing the keys from https://login.microsoftonline.com/common/discovery/v2.0/keys.

When I generated a test idToken with my email (an email within my tenant directory), the token signature is verified. However, I tested with a normal personal account and a separate school account (associated with a different tenant) and those idTokens were not validated. I saw that the kid claim matched the kids found from the public keys I'm using.

Here are the kid values I'm seeing:

  • my email: T1St-dLTvyWRgxB_676u8krXS-I
  • personal account: XouXLYQ1Tip5odYajiCtFVgVaEs
  • school account: T1St-dLTvyWRgxB_676u8krXS-I

I believe I'm using the correct public keys and have implemented node-jose properly. Could anyone provide some insight into why these idToken signatures are not verified? Even when I input the tokens into https://jwt.davetonge.co.uk/ (JSON web token verifier), it says it's able to find a matching key but the signature is not verified. Any help is appreciated, thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,488 questions
{count} votes