Signature verification fails for access token

Question

Signature verification fails for access token

Aliaksandr Stsiapanay 5

Hello,

Signature verification of access token fails with JWKS https://login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appId=04f73406-aedb-4bb3-8697-9381e2cedc8b

JWT header:

{
  "typ": "JWT",
  "nonce": "2mcGtFKjeHKlOzPqxjvOM9_OD5EQeYfGu6YtfEFHuBk",
  "alg": "RS256",
  "x5t": "T1St-dLTvyWRgxB_676u8krXS-I",
  "kid": "T1St-dLTvyWRgxB_676u8krXS-I"
}

Signature algorithm SHA256withRSA returns <code>false</code>: computed(from public key) and provided(from access token) singatures are different. It worked fine 2-3 days ago.

Could you please help me with that issue?

3 answers

Your answer

Answer 1

The reason signature verification fails for Access Token is the 'nonce' field in its JWT header. It should be represented as an SHA256 hash. Before signature verification, the SHA256 hash of current value of 'nonce' should be calculated and be replaced with that: header.nonce = sha256(header.nonce).

C# code example can be found at Stack Overflow: https://stackoverflow.com/a/71588115/2659770

On the other hand, Access Token is not designed to be validated by you or shared to someone else (e.g. your server side), its audience is the Graph API, validation, signatuer verification etc. is done by Graph API.

Answer 2

Hi @Aliaksandr Stsiapanay , to verify the access token signature, you need to obtain the public key from the JSON Web Key Set (JWKS) endpoint and use it to verify the signature of the access token.

In your case, the JWKS endpoint is login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appId=04f73406-aedb-4bb3-8697-9381e2cedc8b.You can use a tool like openssl to verify the signature of the access token. Here is an example command:

openssl dgst -sha256 -verify <(openssl x509 -in <(curl -s https://login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appid=04f73406-aedb-4bb3-8697-9381e2cedc8b | jq -r '.keys[0].x5c[0] | "-----BEGIN CERTIFICATE-----\n" + . + "\n-----END CERTIFICATE-----"')) -signature <(echo "" | base64 -d) <(echo -n ".")

Replace <SIGNATURE> with the signature from the access token, <HEADER> with the base64-encoded header of the access token, and <PAYLOAD> with the base64-encoded payload of the access token.

If the signature verification fails, it is possible that the public key has changed or the access token has been tampered with. You can try obtaining a new access token and verifying its signature again.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Aliaksandr Stsiapanay 5 Reputation points

2023-12-11T08:58:02.12+00:00

Hi @James Hamil

Thank you for your detailed answer how to verify a token signature with open SSL.

However the root cause I found was different. It turned out I applied the scope openid profile user.Read email offline_access.

The token was signed with private key issued by MS Graph. And as a result the token signature verification failed.

I should have applied the scope {api app client_id}/.default as that was mentioned in https://stackoverflow.com/questions/67639910/validation-of-azure-ad-token-signature-is-invalid-the-tokens-signature-resulte/67774053#67774053?newreg=2aa2472532aa47dfa5f67d1ca98d5a40
Sergio Mansilla Vidal 0 Reputation points

2024-10-16T21:39:05.0066667+00:00

Thank you very much, this information helped me to solve some similar problems.

Answer 3

Fred 20

Interesting information.

So for what the access tokens are supposed to be used? I guess they can be used to collect "user info" from the userinfo_endpoint?

Gabor Hollosy 15 Reputation points

2025-03-26T09:31:44.0833333+00:00

So far, I haven't had much to do with Entra ID and especially with Graph API. What I needed is to have valid token which describes me the authenticated user and its roles (groups). Luckily, IdToken contains what needed almost -of course, I had to make a group guid to app role mapping on server side.

My guess is that Microsoft presented Access Token's header.nonce wrong by purpose, to prevent it to be used for other API except Graph API, because its validation fails if its header.nonce field is not corrected.
Fred 20 Reputation points

2025-03-27T11:09:48.0833333+00:00

I see. Indeed, ID tokens are there to identify the end-user. This is a part of the layer added by OpenID Connect (OIDC) on top of OAuth2.0.

On my side I am working on a relying party (RP) OIDC implementation. Should not a RP at least validate the JWTs (ID Tokens or not)? If the JWTs are JWSs, should not there signatures be verified? If, yes, Microsoft Entra ID as OP breaks this rule.
Gabor Hollosy 15 Reputation points

2025-03-27T12:01:32.7166667+00:00

The IdToken can and must be validated, it is completely a valid JWT token. It is the Access Token that cannot be validated without correcting the header.nonce field. If you check Access Token's payload.aud (= Audience) field, you would see that there is the Graph API guid and not your client identity. On the contrary, the IdToken's payload.aud field contains your client identity.
Fred 20 Reputation points

2025-03-27T12:44:24.8+00:00

I agree. Thank you for replying.

Share via

Signature verification fails for access token

3 answers

Your answer