![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 18%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUD%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Utvich, Daniel ,
Thanks for reaching out.
Please find my response inline:
User logs into an application with Azure Active Directory.
It is possible to create and manage user access with Azure Active Directory. To log in application with Azure Active Directory, application need to be register in Azure AD.
To register the application in Azure Active Directory,
Sign into the Azure portal and select Azure Active Directory in the tenant where you want to register the application.
Under Manage, select App registrations > New registration.
The user or administrator must grant it the correct permissions via a consent process to access the application.
Update the below applicationID, tenantID and redirect URI information in the application registered in Azure Active Directory.
After successful login, the application returns that user JWT token.
Application Sign-In Flow:
- Users need to enter the credentials in a browser to log in the application, application delegated to Azure AD to verify the credentials to complaint with the policy of the organization.
- User is asked to consent to the access that client application needs based on the access assigned to user during Application Registration.
- After successful Login, The Microsoft Identity Platform sends the ID token, access token (which are JWT tokens) to the application based on the access, user has consented to.
Is Azure Active Directory capable of providing us with these JWT tokens? I'm looking for Azure Active Directory to be the issuer of the token and provide a certificate that I can use for token validation.
All tokens used in Azure AD are JSON web tokens (JWTs) that contain assertions of information about the bearer and the subject of the token. There are different tokens provided by Azure Active Directory.
ID token - A JWT that contains claims that you can use to identify users in your application. When your application/API receives an ID token, it must validate the signature to prove that the token is authentic.
Access token - A JWT that contains claims that you can use to identify the granted permissions to your APIs. Access tokens are signed by Azure Active Directory. An access token contains claims that you can use in Azure Active Directory to identify the granted permissions to your APIs.
When your internal application receives an access token, it must validate the signature to prove that the token is authentic. Your application/API must also validate a few claims in the token to prove that it is valid.
Refresh Token - When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires.
Refresh tokens have a longer lifetime than access tokens. Refresh tokens are encrypted and only the Microsoft identity platform can read them.
To Verify the JWT token:
- Verify that the JWT contains three segments, separated by two period ('.') characters.
- Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.
- Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.
To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration and verify against the private key generated by Azure AD token.
If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.
For validation, developers can also decode JWTs using jwt.ms .
The user can then copy that token and use it to log into an internal application/database.
Now that you've successfully acquired an access token, you can use the token in requests to call application/Web API by including it in the Authorization header. The app can use this token to authenticate to the secured resource, such as a web API or resource servers.
When your applications or API receives a token, it should also perform several checks against the claims in the ID token as:
• audience - Verifies that the ID token was intended to be given to your application. Access tokens are created based on the audience of the token,
meaning the application that owns the scopes in the token
• not before and expiration time - Verifies that the ID token hasn't expired.
• issuer - Verifies that the token was issued to your application by Azure AD B2C.
• nonce - A strategy for token replay attack mitigation.
Hope this will helps.
Thanks,
Shweta
-----------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if answer helped you.