Hi @Aliaksandr Stsiapanay , to verify the access token signature, you need to obtain the public key from the JSON Web Key Set (JWKS) endpoint and use it to verify the signature of the access token.
In your case, the JWKS endpoint is login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appId=04f73406-aedb-4bb3-8697-9381e2cedc8b
.You can use a tool like openssl
to verify the signature of the access token. Here is an example command:
openssl dgst -sha256 -verify <(openssl x509 -in <(curl -s https://login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appid=04f73406-aedb-4bb3-8697-9381e2cedc8b | jq -r '.keys[0].x5c[0] | "-----BEGIN CERTIFICATE-----\n" + . + "\n-----END CERTIFICATE-----"')) -signature <(echo "" | base64 -d) <(echo -n ".")
Replace <SIGNATURE>
with the signature from the access token, <HEADER>
with the base64-encoded header of the access token, and <PAYLOAD>
with the base64-encoded payload of the access token.
If the signature verification fails, it is possible that the public key has changed or the access token has been tampered with. You can try obtaining a new access token and verifying its signature again.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James