Azure AD access token validation exception in Resource Server

Smith, Larry (L.G.) 6 Reputation points
2022-09-01T12:23:19.963+00:00

Hi,
We have a SPA in React typescript and Spring boot at backend.

SPA does the authentication of user and gets the access token as part of redirect URI.
Now SPA calls the spring boot backend API attaching access token as Bearer in header.

I followed reference to implement security config in java to validate the token
https://github.com/Azure-Samples/ms-identity-java-webapi/blob/edbd399155341556e3871065d1b8b4be2e9cbce0/msal-obo-sample/src/main/java/com/microsoft/azure/msalobosample/SecurityResourceServerConfig.java
i got exception - org.springframework.security.jwt.crypto.sign.InvalidSignatureException: RSA Signature did not match content
at org.springframework.security.jwt.crypto.sign.RsaVerifier.verify(RsaVerifier.java:59) ~[spring-security-jwt-1.1.1.RELEASE.jar:na]

After i resolve the above exception, i need to validate the ID token via spring boot

Azure Spring Apps
Azure Spring Apps
An Azure platform as a service for running Spring Boot applications at cloud scale. Previously known as Azure Spring Cloud.
109 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 27,301 Reputation points Microsoft Employee
    2022-09-02T11:25:05.18+00:00

    Hi @Smith, Larry (L.G.) ,

    Thanks for reaching out.

    The reason for getting this error is due to invalid signature.

    Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

    To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
    You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id} and verify against the private key (kid) generated by Azure AD token.

    In case of multi-tenant application, it should be https://login.microsoftonline.com/common/discovery/keys

    If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token and throws the Signing and verification RSA keys do not match error by catching InvalidSignatureException.

    For validation, developers can also decode JWTs using jwt.ms .

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------

    Please remember to "Accept Answer" if answer helped you.