How to validate MS Azure token?

Question

How to validate MS Azure token?

Alexey Mykhailov 25

Hello, I have an enterprise application set up in MS Azure. It has a MacOS and Android sections filled up for mobile application to retrieve JWT-tokens using address like:

https://login.microsoftonline.com/2c671079-81a2-432c-8377-ef4bf2337e74/v2.0

Question: how the tokens issued by Azure can be verified by my application server? For example, mobile application obtains a JWT from MS Azure server and then sends a request to my server to get some data using this token. How my server can ensure that this token is valid? Should it send some request to a special Azure validation endpoint to check this token? Or should it have some kind of a webhook for Azure to report that this token was issued?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Azizkhon Ishankhonov 1,010

Hi @Alexey Mykhailov First of all, take a look documentation where the oauth2.0 flow is described.
Here is the link: https://learn.microsoft.com/en-us/entra/architecture/auth-oauth2 Diagram of architecture

As you can see, validation will be done on your server side, and depending on your tech stack I can provide instructions on how to configure authentication on your server. Please let me know if further help is necessary.

Azizkhon Ishankhonov 1,010 Reputation points

2024-01-18T14:24:50.8133333+00:00

Note: usually token endpoint ends with /token, for your case
https://login.microsoftonline.com/2c671079-81a2-432c-8377-ef4bf2337e74/v2.0/token
Alexey Mykhailov 25 Reputation points

2024-01-18T14:43:09.6333333+00:00
Thank you very much for the answer. I am already familiar with the documentation you gave the link to but still I don`t understand how the validation itself should be performed on the backend side. I have PHP 7.4 and Symfony 4.4.50 on the backend. If you don"t mind I will describe the process how I see it :

Mobile application gets a token from Azure;

It sends request to my server to get some data with this token;

On the server I must somehow make sure that this token is valid. I get the public key from my Azure account and with the help of it validate the token. Then I decode the token and retrieve necessary information from it and, if everything is fine, I send the requested data to the mobile application.

Am I correct or there should be some additional steps?
Azizkhon Ishankhonov 1,010 Reputation points

2024-01-18T15:11:03.3666667+00:00

The almost, third step I think will bit easy.
I'm not familiar with PHP but in most backend servers like Java or C#, there are some default libraries for JWT authentication where you can just set/configure how exactly validation should be performed and then just protect your API with attributes(which require authorization) without custom implementation of decoding and validating of token.
For example,
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-8.0
Azizkhon Ishankhonov 1,010 Reputation points

2024-01-18T15:19:28.7566667+00:00

duplication answer removed

Share via

How to validate MS Azure token?

0 additional answers

Your answer