Azure AD B2C - Id_Token Signature issued by Custom Policies in identity experience framework

Harjani, Ashish 201 Reputation points
2020-03-27T22:40:49.253+00:00

Hi,

As per the below docs :
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens

A validation of a id__token should be same as validating an access_token. Which means that an id_token should be signed. But , when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature.

Please explain the ambiguity between the docs and actual functionality..

One more reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens ... which says "To validate an id_token or an access_token, your app should validate both the token's signature and the claims"

Thanks!

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,721 questions
{count} votes

3 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,466 Reputation points
    2020-04-01T10:31:57.34+00:00

    @Harjani, Ashish This is because jwt.io is not able to fetch the public key and and is unable to validate the signature. Please refer to the screenshot below which is captured with a token issued via standard AAD and not IEF. There is a slight difference in how the public key is fetched in case of token issued via IEF, which might be the reason why you don't see public key on jwt.io for token issued via IEF. You can read more about signature validation in B2C here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#validate-signature

    7011-capture.jpg

    -----------------------------------------------------------------------------------------------------------

    Please Accept as answer wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

  2. AmanpreetSingh-MSFT 56,466 Reputation points
    2020-03-30T13:14:17.55+00:00

    @Harjani, Ashish I disagree with you on this statement "when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature."

    Below is a snip of the id_token issued by IEF which is signed. If you decode the token at https://jwt.ms, you will find that the green text is the signature and the "alg": "RS256" is the id_token signing algorithm. Which would match with the value of id_token_signing_alg_values_supported parameter in your OIDC metadata located here:
    https://login.microsoftonline.com/{your_b2c_tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration

    6682-capture.jpg

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.


  3. Rahul Kaim 21 Reputation points
    2020-04-30T13:38:39.797+00:00

    Hi Amanpreet,

    I hope you are doing well and safe !!

    Can you please help me with Jwt's signature Kid value is not matched error and how I can validate Kid?

    I am using jwks_uri for keys? I am not an expert so If you can explain step by step complete chronology to try?