Share via

Unable to get key for verifying signature from amurl claim in Exchange ID token

KA 0 Reputation points
2024-10-17T08:32:53.3166667+00:00

The Exchange ID token obtained from Office.js contains a signature that requires verification by extracting the amurl claim from the payload and downloading the public key from that URL. https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/validate-an-identity-token#validate-token-contents

According to the documentation, the typical content in amurl claim is: https://outlook.office365.com:443/autodiscover/metadata/json/1

Recently, accessing this URL using the GET method returns an HTTP status code 401. This raises concerns about the potential deprecation of the Exchange ID token as mentioned in the following documentation: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens

  1. Will access to the public key distribution URL for verifying the Exchange ID token become permanently unavailable in the future?
  2. Is there a procedure or workaround to regain access to this URL, or an alternative method for validating the Exchange ID token? If so, how long will this method be supported?

Any insights on this would be greatly appreciated. Thank you in advance.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,171 questions
Microsoft 365 and Office Development Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-10-18T02:29:36.6666667+00:00

    Hello, @KA,

    Welcome to the Microsoft Q&A platform!

    As you said, currently, accessing the public key distribution URL used to validate Exchange ID tokens returns an HTTP status code 401, which indeed raises concerns about the potential deprecation of these tokens.

    About Question 1, according to the latest documentation, Microsoft plans to gradually phase out legacy Exchange Online tokens. This means that in the future, it may be permanently impossible to access these URLs to validate tokens.

    About Question 2, please considering following the steps below.

    1. Use Microsoft Graph API: Microsoft recommends developers transition to using the Microsoft Graph API for authentication and token validation. Microsoft Graph provides more modern and secure authentication mechanisms.
    2. Update Applications: Ensure your applications use the latest authentication libraries and methods to comply with Microsoft’s latest security standards and guidelines.
    3. Pay attention to duration of support: Microsoft typically provides detailed timelines and transition periods to give developers ample time to migrate. It is recommended to regularly check Microsoft’s official documentation and announcements for the latest information and support timelines.

    If the answer is helpful please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

    Thank you for your support and understanding.

    Best Wishes,

    Alex Zhang

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.