I am trying to validate the access token provided by Azure OAuth2. I am using nimbus to validate the token, however I keep getting the "invalid signature" error.
I read on some pages that if the access token contains a nonce, then I won't be able to validate it since it's meant to be used internally by Microsoft only. I followed the instructions on this page (https://authguidance.com/azure-ad-troubleshooting/) to get the acecss token without a nonce, but it doesn't work.
I can see that the ID token doesn't contain a nonce, but the access token does.
Does anyone know how I can get an access token (withouth a nonce) that I can validate using nimbus?
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and added Microsoft Graph
API permissionsas below:Now I generated access token and id token using authorization code flow via Postman with below parameters:
Response:
When I decoded the above access token in jwt.io website, I too got Invalid Signature error as it has
nonceclaim like below:To get access token without nonce claim, change
scopevalue to custom API instead of Microsoft APIs.I added Application ID URI and new scope named
Custom.Readby selecting Expose an API in my application like this:You can find above scope in My APIs of your application with same name like this:
Now, add that scope in API permissions of your application like this:
Make sure to grant admin consent to the added permission like below:
To get code, I ran below authorization request in browser like this:
Response:
Now, I generated access token by changing scope to custom API using authorization code flow via Postman like below:
Response:
When I decoded the above access token in jwt.io website, it does not have
nonceclaim and signature verified successfully like below: