How to validate an access token for an Azure app registered

Saivenkat Mahendrakar 0 Reputation points
2024-11-23T16:47:30.1166667+00:00

I have an Azure registration for a mobile native app and there is openid login mechanism. The access token that is generated needs to be passed to an API that is written in nodejs. Before I return any data back to the mobile app I need to validate the access token in nodejs backend. How to acheive this?

I have used the same tenant-id + client id and I always get invalid signature.
Also aud in my token is always "00000003-0000-0000-c000-000000000000" and iss has sts.windows.net

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
151 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. hossein jalilian 8,840 Reputation points
    2024-11-23T18:34:34.6433333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    • Fetch the metadata from: https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration and extract the jwks_uri from the metadata , Fetch the JSON Web Key Set (JWKS) from the jwks_uri
    • Add a custom scope in your App Registration's "Expose an API" section, request this scope when acquiring the token, validate the aud claim matches your API's App ID URI

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful


  2. BANDELA Siri Chandana 420 Reputation points Microsoft Vendor
    2024-11-27T14:31:02.2166667+00:00

    Hi @Saivenkat Mahendrakar

    I realize that when you have added <Custom Scope> in the token request it is working fine, but you are facing an issue passing multiple APIs that works for both Microsoft Graph API and Custom API for further validation, 

    If the permissions required for accessing both APIs are missing, there is a possibility that the token might not have the right permissions for both Graph and custom APIs. Ensure you have added and configured the necessary custom scopes under the "Expose an API" section for your custom API along with the required permissions.

    Since the aud in the access token reflects both the Microsoft Graph API audience and your custom API audience, you need to make sure that when you expose your custom API, you assign it an audience (an Application ID URI) which needs to be a part of aud claim. Also, ensure the correct code flow configuration is selected after making the changes.

    Azure AD application ->Select API Permissions -> Add a permission -> My APIs ->Select the web API you registered as part of the scope name (search with application_id it will shows scopes) -> select delegated permissions -> click on add permissions ->As an admin, you can also grant consent on behalf of all users, so they're not prompted to do so.

    Hope this helps. Do let us know if you have any further queries. 

    Thanks,

    B. Siri Chandana.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.