0

I have seen the post with a similar title about Angular JS, but I have been searching for a C# / .net code sample of how to do this presumably common task.

I have found many articles talking about the fact that it must be done, but no straightforward "Here's how you validate an id_token returned from Azure B2C using C# and .net"

Is anyone aware of such a piece of code?

Chris_MSN
  • 1
  • 4
  • Verify the JWT is too broad. You can literally have 100 verification that you would like to perform, so maybe that is why there is no such "here's how you validate" out there. – Tiago B Dec 19 '19 at 21:58

1 Answers1

1

Validating an id_token is similar to the first step of validating an access token - your client should validate that the correct issuer has sent back the token and that it hasn't been tampered with. Because id_tokens are always a JWT, many libraries exist to validate these tokens - we recommend you use one of these rather than doing it yourself.

To manually validate the token, see the steps details in validating an access token. After validating the signature on the token, the following claims should be validated in the id_token (these may also be done by your token validation library):

  • Timestamps: the iat, nbf, and exp timestamps should all fall before or after the current time, as appropriate.
  • Audience: the aud claim should match the app ID for your application.
  • Nonce: the nonce claim in the payload must match the nonce parameter passed into the /authorize endpoint during the initial request.

you can browse through this samples to find one in the language of your choice. For more information on how to explicitly validate a JWT token, see the manual JWT validation sample.

You can check this thread as well for additional reference:

Hope it helps.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Mohit Verma
  • 5,140
  • 2
  • 12
  • 27