0

I want to validate only the signature of the token which I recieve after logging with Azure B2C AD.

Examples showed in the web, use a secret or key parameter, which I'm not sure from where I can get them if Azure B2C AD generates the token.

If it's possbile, how can I achieve only that signature validation without more validations for Audience etc ?

EDIT it uses "alg": "RS256"

gneric
  • 3,457
  • 1
  • 17
  • 30
  • Check out this question: https://stackoverflow.com/questions/59840170/validating-the-token-recieved-from-azure-ad-b2c-using-the-values-from-jwks-uri The best one I found – Leonardo Dec 23 '20 at 20:05

1 Answers1

2

Microsoft has an example application which uses System.IdentityModel.Tokens.Jwt from AAD IdentityModel Extensions for .Net to validate JWT tokens, including signatures. Here is the code that does the actual validation, which leverages JwtSecurityTokenHandler. I suppose if you wanted to strip out just the signature validation code you could pull that from the ValidateToken or ValidateSignature methods in the source code.

Josh
  • 4,009
  • 2
  • 31
  • 46
  • What about the key parameter that these methods expect, what exactly should I provide. I looked upon this endpoint https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_sign_in but im still confused. – gneric Jul 17 '18 at 14:03
  • This all uses the OpenID Connect protocol. If you're interested in how that works, [you can find a ton of stuff online](https://www.google.com/search?q=introduction+to+openid+connect). [This article](https://www.pingidentity.com/developer/en/resources/openid-connect-developers-guide.html) has a specific section on validating OpenID Connect signatures using keys from the well-known OIDC endpoints – Josh Jul 17 '18 at 14:18
  • Found this https://stackoverflow.com/a/41041219/4990859 and it did the work. It's done. – gneric Jul 17 '18 at 14:18