Signature verification for JWT issued by Azure

Question

Hello, dear support,

Could you assist us with the next question related to JWT token verification:

Recently we started writing functionality for Single Sign On for Microsoft users. We are guided by this documentation https://learn.microsoft.com/en-gb/entra/identity-platform/v2-oauth2-auth-code-flow and using OAUTH version 2.

It looks good and we are almost done, but still, we cannot verify the JWT signature by published public keys. In our case, we are fetching those keys from https://login.microsoftonline.com/573ae0ae-0a5d-4098-8813-0f140a1c85da/discovery/v2.0/keys

We are using PHP as a programming language and thought - maybe it is some incompatibility of libraries that we are using with JWK (lcobucci/jwt, firebase/php-jwt).

Then we tried to use any popular online tool (https://jwt.io, https://developer.pingidentity.com/en/tools/jwt-decoder.html) to verify it. Every time we have the same result: the signature is not verified.

Could you give us a tip, where we're mistaken because it seems like we already tried all possible ways to find the root cause of the issue?

Maybe you could give us an example of code (programming language does not matter) where those pair (JWT and public key) will work in signature verification?

Thank you everybody in advance for any valuable help

I expect to verify the JWT token issued by Microsoft through the provided public key

I know about jwt.ms, but please correct me if I'm wrong - it doesn't verify the signature on the OpenSSL level. So, from a security perspective, it's not enough

Answer 1

solution is here - https://authguidance.com/azure-ad-troubleshooting/