Where's the Key for My Azure AD B2C Token?

Question

I'm following this guide and using the jwt.io chrome addin but I can't find my key so that I can manually verify the signature.

JWT Header

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "c9HOlAkfaBs4YSKZ7RoMnZlKrVzdkXHB2QoLv1fETQ8"
}

The OpenID Connect metadata document leads me to https://login.microsoftonline.com/common/discovery/v2.0/keys but that response not have this kid.

I've also referenced this blog post.

Answer 1

The URL to retrieve your Azure AD B2C tenant's keys has the following format:

https://login.microsoftonline.com/te/<tenantName>.onmicrosoft.com/b2c_1_<policyName>/discovery/v2.0/keys

For example:

https://login.microsoftonline.com/te/fabrikamb2c.onmicrosoft.com/b2c_1_edit_profile/discovery/v2.0/keys

Note that both the keys and URLs are different from those for regular Azure AD and Azure AD's v2.0 endpoint (the latter being the URL you referenced in your question).

At this time, the keys for all built-in policies (even across tenants) use the same keys, however in the case of custom policies you'll see different keys per tenant and even in some cases, per policy.

Important note: You won't be able to use jwt.io out of the box to validate Azure AD B2C tokens given that the keys in Azure AD B2C are in a different format. See Azure AD B2C - Token validation does not work

Answer 2

This answer is quite old and the URL as at October 2021 is now:

https://<tenantName>.b2clogin.com/<tenantName>.onmicrosoft.com/b2c_1_<policyName>/discovery/v2.0/keys