Why is my idToken signature failing verification
I am looking to integrate microsoft oauth with my application and am having a difficult time understanding the documentation. I have registered my app to allow for users of all account types (work, school, personal, etc) to be supported.
I generated an idToken in my iOS client using MSALAuthority SDK (using authority = https://login.microsoftonline.com/common
) which I am passing to my backend server. I am using node-jose in the backend to verify the token signature. I am grabbing the keys from https://login.microsoftonline.com/common/discovery/v2.0/keys.
When I generated a test idToken with my email (an email within my tenant directory), the token signature is verified. However, I tested with a normal personal account and a separate school account (associated with a different tenant) and those idTokens were not validated. I saw that the kid
claim matched the kid
s found from the public keys I'm using.
Here are the kid
values I'm seeing:
- my email:
T1St-dLTvyWRgxB_676u8krXS-I
- personal account:
XouXLYQ1Tip5odYajiCtFVgVaEs
- school account:
T1St-dLTvyWRgxB_676u8krXS-I
I believe I'm using the correct public keys and have implemented node-jose properly. Could anyone provide some insight into why these idToken signatures are not verified? Even when I input the tokens into https://jwt.davetonge.co.uk/ (JSON web token verifier), it says it's able to find a matching key but the signature is not verified. Any help is appreciated, thanks!