Unable to successfully validate an access token from Microsoft Graph API

Question

I am using the Microsoft Graph API along with Microsoft Authentication Library (MSAL) to acquire access tokens and I can successfully retrieve the access token, id token and refresh token. I can also successfully validate the id token. However, I cannot do the same for the access token as I'm getting this error:

raise InvalidSignatureError('Signature verification failed')
jwt.exceptions.InvalidSignatureError: Signature verification failed

I've reviewed as best as I can the microsoft documentation regarding validation here: Microsoft identity platform access tokens

For validation, I can successfully decode using the jwt.ms site for jwt validation. So I know the tokens are good. I can see from the decode the claims and extract the aud(audience) and iss(issuer). These values are not the same for the id token (which I can successfully validate).

I am using the public keys from the following url as documented:

https://login.microsoftonline.com/<TENANT ID>/discovery/keys

So, what I missing in regards to validating the access token? (if I can validate the id token with no issues). How else can i troubleshoot this?

score 2 · Answer 1 · answered Sep 21 '20 at 13:49

Jim's answer is correct and there are 2 use cases really - so it depends what you are trying to do:

Getting an access token for Microsoft resources - such as Graph - in which case you don't validate them
Getting a token for your own API resources, in which case you need to validate them. For this to work you need to 'expose an API scope' to get a different type of access token

Behaviour is not intuitive in my opinion, since I like to build standards based solutions. If it helps, here is a visual blog post of mine on getting the second scenario above working.

Gary, you're blog really helped break it down. Appreciate the response in this. — noober, Sep 25 '20 at 13:25

score 1 · Accepted Answer · answered Sep 18 '20 at 05:31

As far as I knew, we do not need to validate Microsoft graph signature. Because MsGraph recognized an opportunity to improve security for users. They achieved this by putting a ‘nonce’ into the jwt header. The JWS is signed with a SHA2 of the nonce, the nonce is replaced before the JWS is serialized. To Validate this token, the nonce will need to be replaced with the SHA2 of the nonce in the header. Now this can change since there is no public contract. So When calling Microsoft Graph, you should treat access tokens as opaque. For more details, please refer here and here

appreciate the response. both answers helped me understand the issue. — noober, Sep 25 '20 at 18:24

Unable to successfully validate an access token from Microsoft Graph API

2 Answers2

Linked