Hi @ 01525690,
Thanks for reaching out.
Access tokens are signed using RS256 which would mean that the JWT is signed with Azure AD private key and would be validated by Azure AD public key.
Once you will get the access token using token endpoint, token need to verify to validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature. You can obtain public key by calling the public Azure AD OpenID configuration endpoint https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration and verify against the private key(kid) generated by Azure AD token.
I am not sure about how to implement in PHP but found a stack overflow thread to verify JWT using PHP.
Hope this will help.
Thanks,
Shweta
---------------------------------------
Please remember to "Accept Answer" if answer helped you.