Azure generation token invalid signature
I am trying to generate a JWT using Microsoft Azure. I successfully obtain the token, but when I include it in the header of my REST API request, I get the following error:
Token verification has failed: JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature
Then I used jwt.io to verify the token, and while I was able to see all the claims and information in the JWT, the signature part was marked as invalid.
What could be causing this issue? How can I resolve the "invalid signature" problem when using the JWT generated by Azure?
Here is the information I use to generate token using Postman
Token url
https://login.microsoftonline.com/XXXXXXX/oauth2/v2.0/token
Client_id: CCCCC
Scope: openid profile email
grant_type: password with username and password
Agree with @junnas, Need to request a token using scope defined by your application.
NOTE: Microsoft Graph API token is not meant to be validated,
aud: httos://graph.microsoft.comas it is not for the application validation.
Using ROPC flow, I tried to generate access token with username and password.
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:password
username: <username>
password: <password>
When I decode the access token with using scope: https:/graph.microsoft.comon https://jwt.io , I got same Invalid Signature error message.
To resolve the error, you have to avoid validating access token using Microsoft Graph API. You have to validate the access token using your own application or your own custom API.
Added Application ID URI and I Expose an API like below:
You can find above API in API permission blade with the application name only:
Now added Exposed API Permission:
Granted Admin Consent to the added permission:
Now I changed the scope while generating access token
scope : api://<application-id>/Custom.Read
Now, When I decode this generated access token at http://jwt.io , with scope : api://<application-id>/Custom.Read , Now I am able validate the access token.
Reference:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?