GraphAPI - cannot validate access_token signature

Mark Babayev 226 Reputation points
2021-03-17T12:32:18.01+00:00

I want to validate the Microsoft Graph API access_token signature only. The Microsoft public certificates is retrieved from url:
https://login.microsoftonline.com/common/discovery/v2.0/keys
Here the x5c is the public certificate that can be used for the signature validation (I take the first key).
All access_token parts already arrive in base64url format.

const jwt = require('jsonwebtoken');
let pubcert = '-----BEGIN CERTIFICATE-----\n' + x5c[0] + '\n-----END CERTIFICATE-----';
jwt.verify(access_token, pubcert, function(err, decoded) {
   console.log(decoded) // bar
});

After all the jsonwebtoken library says that the signature is invalid. I tried to validate it directly by the Node.js crypto library and have the same result.
The https://jwt.io/ website also shows that the signature is invalid.

access_token = access_token.split('.');
let payload = access_token.slice(0,2).join('.');
let pubcert = '-----BEGIN CERTIFICATE-----\n' + x5c[0] + '\n-----END CERTIFICATE-----';
let verifier = crypto.createVerify('RSA-SHA256');
verifier.update(payload, 'utf8');
let isvalid = verifier.verify(pubcert, access_token[2], 'base64');

I also tried to send payload hash instead of the full text, but it still doesn't work:

let payload = crypto.createHash('sha256').update(payload).digest("base64");
verifier.update(payload, 'base64');
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,380 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,539 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,601 Reputation points
    2021-03-18T12:45:06.227+00:00

    Hello @Mark Babayev ,

    Thanks for reaching out.

    This behavior is to be expected when you try to validate access_token signature which issued for Microsoft Graph API (https://graph.microsoft.com/) . when you get an access token for Graph, it can only be used to consume Microsoft Graph API / Graph. If you have your own web api, you must get another access token (issued to your web api) and send it as bearer, not the Graph one for validation.

    You should not be looking at or trying to validate access tokens for Apis that are not "yours", like those issued for MS Graph API. See these article for a detailed discussion

    https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609#issuecomment-383877585
    https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/issues/183#issuecomment-529632013

    Hope this helps.

    Regards,
    Siva Kumar SelvaraJ

    ---------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful