Use python-jose to do something like this:
# Fetch the OpenID configuration, which includes the JWKS
response = requests.get("your_tenant_openidc_configuration_endpoint_url") # Eg.
https://login.microsoftonline.com/tenant-guid/v2.0/.well-known/openid-configuration
payload = response.json()
jwks = payload["jwks_uri"]
issuer = payload["issuer"]
# Decode the JWT token (without verification)
unverified_header = jwt.get_unverified_header(token_string)
response = requests.get(jwks)
keys = response.json().get("keys")
# Find the key which was used to sign the JWT token
rsa_key = {}
for key in keys:
if key["kid"] == unverified_header["kid"]:
rsa_key = {
"kty": key["kty"],
"kid": key["kid"],
"use": key["use"],
"n": key["n"],
"e": key["e"],
}
# Verify the JWT token
payload = jwt.decode(
token_string,
rsa_key,
algorithms=["RS256"],
audience="your_api_client_id",
issuer=issuer,
options=options,
)
return payload
Let me know if you need additional or more detailed guidance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.