8

I'm using MSAL to get an access token. It works fine and I'm able to log in and retrieve my Active Directory user.

However when I'm having problems using it to access an API and I have noticed that when I inspect the token at https://jwt.io/ it says INVALID SIGNATURE.

Is this a problem? If so how can I fix it?

Ben Gannaway
  • 1,053
  • 1
  • 14
  • 28
  • Possible duplicate of [Azure AD B2C - Token validation does not work](https://stackoverflow.com/questions/44330242/azure-ad-b2c-token-validation-does-not-work) – spottedmahn Jun 14 '18 at 16:36

2 Answers2

11

No, it isn't a big concern because JWT.io doesn't have the public key, but you can verify the token signature by:

  1. Copying the public key from the "keys" endpoint in Azure AD B2C.
  2. Converting this public key from the JSON Web Key (JWK) format to the PEM format.
  3. Pasting the public key to the "Verify Signature" field in JWT.io.

The keys endpoint is:

https://login.microsoftonline.com/te/{tenant}/{policy}/discovery/v2.0/keys

The public key can be converted from the JWK format to the PEM format using tools such as the jwt-to-pem package.

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • This solved a 1 week block for me. I didn't know that Azure AD B2C creates keys in JWK format. I was completely lost looking for the PEM one. – Mario Codes Aug 27 '21 at 10:51
  • 2
    jwt.ms does the same decoding as .io but also performs validation for AAD and AAD B2C tokens – Garrison Neely Mar 15 '22 at 22:55
0

Adding my solution as when searching for my issue I was brought here. My problem was that even though everything seemed to work (able to login, MSAL got the token, MSAL added it to the Headers for a protected resource api call etc.). However, when the api call was made the api responded with 401 Unauthorized. Usure why I decoded the token and it warned me of invalid signature.

In the end the issue was that on my protected resource, I had "user.read", as well as my scope for the api -> api://clientId/scope So for some reason the additional user.read scope broke something in the API. Not sure why as the API has the user.read API permission. Regardless, it might be something to double check

Feargal Kavanagh
  • 88
  • 5