25,081 questions
Access Token validation using JWK
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 6%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEM%3C/text%3E%3C/svg%3E)
Erik Martino
6
Reputation points
I have a web page that needs to authenticate with Azure. The scopes provided are openid profile. I receive a JWT access token that I want to validate offline using JWK keyset. In the JWT header the algorithm is the expected RS256 and the kid is present in the JWK published in the openid-configuration.
Everything looks correct, except that the token doesn't verify (I use the Nimbus java framework). There is some folklore around this. Some says that if there is a nonce in the JWT token header it will not validate. Others says that it has something to do with permissions to api's in Azure AD. Some says it has something to do with using the graph api, some say that the algorithm in the JWT header is incorrect and it works with H256.
The Azure AD documentation is a bit shallow regarding validation of access tokens and how they deviate from standards.
Do you know how to make Azure behave and issue proper access tokens that you can verify?
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
Wagner Costa 30 Reputation points2023-04-03T12:27:40.4666667+00:00 Hi, do you have an answer for this?
com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: SHA256withRSA
Sign in to comment
Sign in to answer