Signature verification for JWT issued by Azure

203 views Asked by At

Could you assist us with the next question related to JWT token verification:

Recently we started writing functionality for Single Sign On for Microsoft users. We are guided by this documentation https://learn.microsoft.com/en-gb/entra/identity-platform/v2-oauth2-auth-code-flow and using OAUTH version 2.

It looks good and we are almost done, but still, we cannot verify the JWT signature by published public keys. In our case, we are fetching those keys from https://login.microsoftonline.com/573ae0ae-0a5d-4098-8813-0f140a1c85da/discovery/v2.0/keys

We are using PHP as a programming language and thought - maybe it is some incompatibility of libraries that we are using with JWK (lcobucci/jwt, firebase/php-jwt).

Then we tried to use any popular online tool (https://jwt.io, https://developer.pingidentity.com/en/tools/jwt-decoder.html) to verify it. Every time we have the same result: the signature is not verified.

Could you give us a tip, where we're mistaken because it seems like we already tried all possible ways to find the root cause of the issue?

Maybe you could give us an example of code (programming language does not matter) where those pair (JWT and public key) will work in signature verification?

Thank you everybody in advance for any valuable help

I'm expect to verify JWT token issued by Microsoft through provided public key

1

There are 1 answers

0
apache_borys On

So, a big thank you to Gary Archer. The solution is here. The root cause is in the JWT header. If you have a similar issue, please check your JWT headers, and if it contains a nonce item - that means you received the wrong type of token. Please check Gary's blog post add a custom scope to your application and add it to the OAUTH query.