0

I am completely new to JWT and oAuth but after 8 hours of searching I am stuck. I have this code:

<?PHP
    require_once '/home/site/PHP-JWT/vendor/autoload.php';
    use \Firebase\JWT\JWT;
    $jwt=$_SERVER['HTTP_X_MS_TOKEN_AAD_ID_TOKEN'];
    $secret_key = "Where_to_find_this";
    $decoded = JWT::decode($jwt, $secret_key, array('RS256'));
    print_r($decoded);
?>

The $jwt variable has a proper token (jwt.io can decode it fine). What should I use for the $secret_key value? I keep reading it should be my Azure (or Azure AD) private key, but I've got no clue where to start looking for this. Besides: if jwt.io can decode this token without providing it any certificates, how can this be safe?

Martijn Balink
  • 35
  • 1
  • 1
  • 5
  • Why do you need to manually decode the token? – ADyson Mar 21 '23 at 14:20
  • 1
    *Besides: if jwt.io can decode this token without providing it any certificates, how can this be safe?* - token are signed, not encrypted: [If you can decode JWT, how are they secure?](https://stackoverflow.com/q/27301557) – jps Mar 21 '23 at 15:01
  • 1
    *keep reading it should be my Azure (or Azure AD) private key* - you need the public key to **verify** the token. You should find the key in form of a JWK on an endpoint as described here: [Azure active directory JWT Public key changing](https://stackoverflow.com/q/58330545) – jps Mar 21 '23 at 15:09
  • @ADyson: I need to decode the token in order to retrieve some additional claims in the token. I need those user-properties for my application to work. – Martijn Balink Mar 22 '23 at 09:00
  • 1
    @jps Thanks for the clarification about the signing. Makes perfect sense. However, if Microsoft will change the public key not only periodically but also on an ad-hoc basis it will include a lot more programming to get that all in place. I feel the easier way to fetch the user-properties I need from Azure is through a call to the Graph api. I will abandon the path of decoding JWT tokens. – Martijn Balink Mar 22 '23 at 09:04

1 Answers1

0

To incorporate the required functionality in your code, you need to include the use \Firebase\JWT\Key; statement and use the JWT::decode() method with the appropriate parameters. The updated code snippet below demonstrates the implementation:

require_once '/home/site/PHP-JWT/vendor/autoload.php';
use \Firebase\JWT\JWT;
use \Firebase\JWT\Key;
$jwt=$_SERVER['HTTP_X_MS_TOKEN_AAD_ID_TOKEN'];
$secret_key = "Where_to_find_this";
$decoded = JWT::decode($jwt, new Key($secret_key, 'HS256'));
print_r($decoded);

By adding the use \Firebase\JWT\Key; statement, you ensure that the Key class from the JWT library is properly imported and accessible for use. The JWT::decode() method is then utilized to decode the provided JWT token using the new Key($secret_key, 'HS256') as the key.

Hemant
  • 61
  • 3