Microsoft Teams Auth Token / Microsoft graph access token swap

Dale N 1 Reputation point
2021-11-22T21:49:57.903+00:00

I am generating an auth token using the Teams JS SDK. From this, I swap it out for a MS Graph access token using the following input to a PHP cURL call:

$scope = urlencode('https://graph.microsoft.com/user.read+offline_access');
$url = 'login.microsoftonline.com/' . $tenant_id;
$url .= '?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer';
$url .= '&client_id=' . $aad_app_id;
$url .= '&client_secret=' . $client_secret;
$url .= '&assertion=' . $auth_token;
$url .= '&scope=' . $scope;
$url .= '&requested_token_use=on_behalf_of';

Question: how can I be sure the auth token sent back from using the Teams JS SDK is actually valid? I need to verify it * behind the scenes * in an automated way (php) - I know we can manually validate it at jwt.io, but this does us no good. In swapping the Teams Auth Token for the Graph Access token, it would seem to me that the assertion (auth token) , client secret, client id, and the tenant id are all used to verify authenticity. Is this correct? Will a success (Graph access token retrieval) essentially validate the Auth token is from who we think it's from (Microsoft)?

A parallel question: is the client secret used in creating the jwt token signature? If so, How can I verify it?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,059 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.