0

I generated access tokens using Azure AD+ Spring Boot using Outh2 Authorization code grant flow. But when I try to validate the token generated (using Spring Boot resource server apis) I get an "Invalid Signature" Error.

Question is I get "Invalid Signature" error when I copy/paste the token in jwt.io as well.

Jwt.io image

Does that mean that my access token does not actually have a valid signature ??

When I switched the Algorithm from RS256 to HS256 in jwt.io it says that the signature was verified. Which I found strange.

Is there any way I can know what algorithm is used by Azure AD to generate Access tokens after successful user login??

dsreddy
  • 9
  • 3
  • What was the resource/scope you used when acquiring the token? – juunas Dec 23 '22 at 13:50
  • I am currently strugling with the same issue, on ios. Tried changing to HS256 and it certainly does change to "Signature Verified". I found these two links which may be of help. https://stackoverflow.com/q/50816301/319826 and https://stackoverflow.com/q/44330242/319826. HTH. – kometen Dec 23 '22 at 13:51
  • 1
    Changing the algorithm to "HS256" on jwt.io causes a recalculation of the signature and the recalculated signature is of course valid, but that does not mean that you verified the original token. When you paste a token, the verification is based on the alg value in the header. It doesn't make sense to change it manually. – jps Dec 23 '22 at 13:59
  • HI Juunas, scope used is : openid,profile. – dsreddy Dec 23 '22 at 14:17
  • The answer at https://stackoverflow.com/a/41132320/319826 have a link to a Go-program at https://go.dev/play/p/Ch6Nr9F6Ik which you can copy and compile on your machine. It produces a RSA PUBLIC KEY in PEM-format but I did not get a valid signature with this. – kometen Dec 23 '22 at 14:21
  • Hi Kometen , from what I have looked at in StackOverflow it looks like you cannot validate the access tokens with scope Open Id atleast in my case . Below is the link for reference, https://stackoverflow.com/questions/65149128/azure-access-token-invalid-signature-in-jwt-io?rq=1 – dsreddy Dec 23 '22 at 15:12
  • Thank you, this is very interesting. It seems I need to create a client secret in the mobile app's "Certificates & secrets". – kometen Dec 23 '22 at 15:35

1 Answers1

1

I tried to reproduce the same in my environment and got the below results:

I generated Authorization code by using the below endpoint:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize? 

client_id=ClientID
&response_type=code  
&redirect_uri=RedirectURI 
&response_mode=query  
&scope=openid profile
&state=12345

enter image description here

I generated the access token using Authorization code grant flow using Postman by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:openid profile
grant_type:authorization_code
redirect_uri:RedirectURI 
code:code

enter image description here

When I decoded the above access token, I got the same error like below:

enter image description here

Note that: Graph API token doesn't require validation (aud is Graph). Graph access token will not pass Signature verification in the code because access token is not for the application.

To resolve the issue, you can try replacing the scope as api://ClientIDofApp/.default while generating the token like below:

enter image description here

The access token decoded successfully without any error like below:

enter image description here

Reference:

openid - Signed JWT rejected: Invalid signature azure-spring-boot (github.com)

Rukmini
  • 6,015
  • 2
  • 4
  • 14