Signature verification fails for access token

Aliaksandr Stsiapanay 5 Reputation points
2023-12-08T12:43:53.4966667+00:00

Hello,

Signature verification of access token fails with JWKS https://login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appId=04f73406-aedb-4bb3-8697-9381e2cedc8b

JWT header:

{
  "typ": "JWT",
  "nonce": "2mcGtFKjeHKlOzPqxjvOM9_OD5EQeYfGu6YtfEFHuBk",
  "alg": "RS256",
  "x5t": "T1St-dLTvyWRgxB_676u8krXS-I",
  "kid": "T1St-dLTvyWRgxB_676u8krXS-I"
}

Signature algorithm SHA256withRSA returns <code>false</code>: computed(from public key) and provided(from access token) singatures are different. It worked fine 2-3 days ago.

Could you please help me with that issue?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,908 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 26,881 Reputation points Microsoft Employee
    2023-12-08T21:26:00.7666667+00:00

    Hi @Aliaksandr Stsiapanay , to verify the access token signature, you need to obtain the public key from the JSON Web Key Set (JWKS) endpoint and use it to verify the signature of the access token.

    In your case, the JWKS endpoint is login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appId=04f73406-aedb-4bb3-8697-9381e2cedc8b.You can use a tool like openssl to verify the signature of the access token. Here is an example command:

    openssl dgst -sha256 -verify <(openssl x509 -in <(curl -s https://login.microsoftonline.com/b41b72d0-4e9f-4c26-8a69-f949f367c91d/discovery/keys?appid=04f73406-aedb-4bb3-8697-9381e2cedc8b | jq -r '.keys[0].x5c[0] | "-----BEGIN CERTIFICATE-----\n" + . + "\n-----END CERTIFICATE-----"')) -signature <(echo "" | base64 -d) <(echo -n ".")
    

    Replace <SIGNATURE> with the signature from the access token, <HEADER> with the base64-encoded header of the access token, and <PAYLOAD> with the base64-encoded payload of the access token.

    If the signature verification fails, it is possible that the public key has changed or the access token has been tampered with. You can try obtaining a new access token and verifying its signature again.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.