0

I have setup a user flow in Azure AD B2C. The resulting id_token is a jwt. But how can I verify the signature of that JWT on the API that needs to be protected by this JWT?

Here is an example JWT: 

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}
{
  "exp": 1587973546,
  "nbf": 1587969946,
  "ver": "1.0",
  "iss": "https://appmanager2020.b2clogin.com/903e0c59-0e1d-4769-8a57-0caba1f56999/v2.0/",
  "sub": "f11eaa2e-0bad-400a-864f-57f9daa70999",
  "aud": "8ab24fa8-a5f2-4f7d-a1ad-31f21d7f999",
  "nonce": "123456",
  "iat": 1587969946,
  "auth_time": 1587969946,
  "idp": "https://sts.windows.net/903e0c59-0e1d-4769-8a57-0caba1f56999/",
  "oid": "f11eaa2e-0bad-400a-864f-57f9daa70999",
  "emails": [
    "some@email.com"
  ],
  "tfp": "B2C_1_some_employee_flow"
}

I tried this URL without luck:

https://login.microsoftonline.com/te/appmanager2020.onmicrosoft.com.onmicrosoft.com/b2c_1_xxx_employee_flow/discovery/v2.0/keys

Nikola Schou
  • 2,386
  • 3
  • 23
  • 47
  • 1
    The URL seems to be a keystore (can't see, because you 'xxx'ed the id). Generally you need a URL on which the public keys are published (which you probably got). Read the JWKS from there and find the key with the ID (kid) identical to the kid in the header of your token. Similar to [this](https://stackoverflow.com/questions/61395261/how-to-validate-signature-of-jwt-from-jwks-without-x5c) – jps Apr 29 '20 at 08:39

2 Answers2

1

as far as I know, there is no way to judge whether JWT is legal, but an exception will be thrown when decoding illegal JWT, so you can judge whether it is legal by catching the exception.

Decode JWT:

public String parseToken(String jwt) {

    return Jwts.parser()
            .setSigningKey(SECRET_KEY)
            .parseClaimsJws(jwt)
            .getBody()
            .getSubject();
}

Verify JWT:

public boolean isTokenValid(String jwt) {

    try {
        parseToken(jwt);
    } catch (Throwable e) {
        return false;
    }
    return true;
}
Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • This answer is correct but not exactly what I was after. I was actually confused because I couldn't find the key URL. But I found it after some more research. – Nikola Schou Apr 30 '20 at 20:46
0

We found the public keys URL and from there we could make it work using code similar to the above.

Nikola Schou
  • 2,386
  • 3
  • 23
  • 47