Azure AD: Validate access_token

adusheba 21 Reputation points
2022-03-30T13:11:57.18+00:00

I used endpoing 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token' to obtain access_token,
Now, i want to validate that access_token, in my application, using public key obtained in 'https://login.microsoftonline.com/common/discovery/v2.0/keys'

However every soulution that i found for this didn't work for me. (e.g. https://github.com/mauliksoni/aad-token-validation/blob/main/DotNetFramewrork/validate.cs)

Does anyone know if it's possible to accomplish such validation?

p.s. i also found such info in microsoft article, saying it's not possible to validate such token, maybe that the reason (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)

188396-screenshot-from-2022-03-30-16-09-36.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,467 questions
0 comments
Accepted answer
  1. Shweta Mathur 27,456 Reputation points Microsoft Employee
    2022-03-30T15:14:28.913+00:00

    Hi adusheba-9169,

    Thanks for reaching out.

    I understand you are looking to verify the signature of the access token issued by Azure Ad by using public endpoint.

    An access token contains claims that you can use in Azure Active Directory to identify the granted permissions to your APIs. When your internal application receives an access token, it must validate the signature to prove that the token is authentic.

    To Verify the JWT token:

    Verify that the JWT contains three segments, separated by two period ('.') characters.

    Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.

    Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

    To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.

    You can obtain public key by calling the public Azure AD OpenID configuration endpoint:

    https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id} and verify against the private key generated by Azure AD token. For validation, developers can decode JWTs using jwt.ms and verify against "kid" claim.

    If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.

    The warning which is mentioned is regarding that access token are secure and contain sensitive information so we should avoid reading other's tokens and secure our tokens securely from attacks.

    Hope this will help.

    Thanks,
    Shweta

    --------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Juan Carrilho 31 Reputation points
    2022-10-19T17:54:37.787+00:00

    I was able to validate an access token issued by Azure AD for a user following this tutorial https://www.voitanos.io/blog/validating-azure-ad-generated-oauth-tokens/

    2 people found this answer helpful.
    0 comments