validationoauth-2.0azure-active-directoryaccess-tokenadal

Invalid signature while validating Azure ad access token, but id token works


I am getting invalid signature while using jwt.io to validate my azure ad access token. My id token, however, validates just fine!

I have seen and tried the solutions suggested in
Invalid signature while validating Azure ad access token
and
https://nicksnettravels.builttoroam.com/post/2017/01/24/Verifying-Azure-Active-Directory-JWT-Tokens.aspx
but neither works for my access token.

The access and Id token is generated via Adal.js:

    var endpoints = {
        "https://graph.windows.net": "https://graph.windows.net"
    };
    var configOptions = {
        tenant: "<ad>.onmicrosoft.com", // Optional by default, it sends common
        clientId: "<app ID from azure portal>",
        postLogoutRedirectUri: window.location.origin,
        endpoints: endpoints,
    }
    window.authContext = new AuthenticationContext(configOptions);

Why can I validate my ID token, but not my access token?


Solution

  • Please refer to thread : https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609

    but if look at the Jwt.Header you will see a 'nonce'. This means you need special processing. Normal processing will fail.

    So if nonce includes in access token , validate signature with JWT.io or JwtSecurityToken won't success .