Validate Azure AD v1 id_token Signature

Q

How to validate the id_token signature received from Azure AD v1.0 authentication response?

✍: FYIcenter.com

A

You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article".

But you can also try to validate the "id_token" signature with your own code logic in these steps:

1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Azure AD service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.

Header =
{ "typ": "JWT",
  "alg": "RS256",
  "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
  "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ""
}

2. Get a copy of the Azure AD metadata document:

GET https://login.microsoftonline.com/common/.well-known/openid-configuration

3. Take the "jwks_uri" value from the metadata document as the URL of Azure AD public keys:

{
    "authorization_endpoint": 
       "https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize",
    "token_endpoint": 
       "https:\/\/login.microsoftonline.com\/common\/oauth2\/token",
...
    "jwks_uri":
       "https:\/\/login.microsoftonline.com\/common\/discovery\/keys",
}

4. Get a copy of Azure AD public keys:

GET https://login.microsoftonline.com/common/discovery/keys

5. Take the "x5c" value the "keys" entry with "kid" matching the value your have from the "id_token". The "x5c" value is the X.509 certificate of the public key.

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
            "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
            "n": "u98KvoUHfs2z2YJyfkJzaGFYM58eD0...",
            "e": "AQAB",
            "x5c": [
                "MIIDBTCCAe2gAwIBAgIQV68hSN9Drrl..."
            ]
        },
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
            "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
            ...
        },
        ...
    ]
}

6. Validate the "Signature" component of the "id_token" with the public key certificate.

⇒ OpenID Tutorials

⇐ Validate Azure AD v1 id_token

⇑ Azure AD Integration v1.0

⇑⇑ OpenID Tutorials

2021-05-16, 1553🔥, 0💬

What Is EPUB 2.0 Specification
What Is EPUB 2.0 Specification? EPUB 2.0.1 Specification is the 2.0.1 version of EPUB specification. EPUB 2.0.1 Specification was a maintenance release of EPUB 2. Its development was chartered in 2009, and the final standard was approved by the IDPF Membership as a Recommended Specification in May, ... 2023-05-09, ∼2423🔥, 0💬

Decode Azure AD v1 id_token
How to decode the id_token value received from Azure AD v1.0 authentication response? According to the "RFC 7519 - JWT (JSON Web Token)" standard, the "id_token" value received from Azure AD authentication response should be decoded as below: Splitting the encoded string into 3 components: Header, B... 2021-05-16, ∼2101🔥, 0💬

Minimum Requirement of EPUB 2.0.1 File
What Is the minimum requirement of an EPUB 2.0.1 file? If you want to build an EPUB file that meets the minimum requirements of EPUB 2.0.1 specification, you need to prepare the following: 1. A text file called "mimetype" with one line listed below. It specifies the mimetype of an EPUB 2.0.1 book fi... 2023-05-09, ∼2068🔥, 0💬

Hello-2.0.epub - "container.xml" File
How to create the "container.xml" file of an EPUB 2.0.1 book? The "container.xml" file of an EPUB 2.0.1 book is a required file in the book ZIP container. It specifies a package file of any name, for example: package.opf. Here is the requirement on the "container.xml" file: 1. The "container.xml" fi... 2023-05-09, ∼2015🔥, 0💬

Hello-2.0.epub - "mimtype" File
How to create the "mimetype" file of an EPUB 2.0.1 book? The "mimetype" file of an EPUB 2.0.1 book is a required file in the book ZIP container. It specifies the mimetype of an EPUB 2.0.1 book file. Here is the requirement on the "mimetype" file: 1. The "mimetype" file must be named as "mimetype". 2... 2023-05-09, ∼1953🔥, 0💬

Azure AD v1 id_token Decoded Example
Where to find an Azure AD v1.0 id_token decoded example? Here is an example of an "id_token" value returned from Azure AD v1.0 after Base64URL decoded: Header = { "typ": "JWT", "alg": "RS256", "x5t": "i6lGk3FZzxRcUb2C3nEQ7syHJlY", "kid": "i6lGk3FZzxRcUb2C3nEQ7syHJlY" } Body = { "aud": "ef1da9d4-ff77... 2021-05-16, ∼1765🔥, 0💬

Dump Azure AD v1 Authentication Response
How to build a PHP script to dump Azure AD v1.0 Authentication Response? If you are use the Azure-AD-Authentication-Reques t-Test.htmltest Web form, you need to write a server side script to dump the Azure AD Authentication Response. Here is an example of PHP script, openID_receiver.php, that dumps ... 2022-05-01, ∼1663🔥, 0💬

Build Implicit Flow with Azure AD v1
How to implement the OpenID Implicit Flow with Azure AD v1.0 service? If you want to implement the OpenID Implicit Flow in your Web application to use Azure AD service, you should follow these steps: 1. Building the Azure AD v1.0 Sign-on authentication request: Register your Web application to the A... 2021-05-16, ∼1631🔥, 0💬

Validate Azure AD v1 id_token
How to validate the id_token value received from Azure AD v1.0 authentication response? As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script. After decoding, you can get all information about t... 2021-05-16, ∼1607🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.