Question 104834 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – AAD B2C MSAL for python Token Validation without the public key in JWKS_URI

Hello Everyone I could REALLY use some help on this.

When trying to validate my token using this code from MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-python

cache = _load_cache() # This web app maintains one cache per session

cca = _build_msal_app(cache=cache)

accounts = cca.get_accounts()

if accounts:  # So all account(s) belong to the current signed-in user

    result = cca.acquire_token_silent(scope, account=accounts[0])

    _save_cache(cache)

    return result

I grab the id_token from the returned dictionary which is base64 encoded

And it returns a header of:

{

"typ": "JWT",

"alg": "RS256",

"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"

}

Payload of:

{

"exp": 1664743047,

"nbf": 1664739447,

"ver": "1.0",

"iss": "https://.b2clogin.com/*/v2.0/",

"sub": "*******",

"aud": "22b52070-255a-4de8-b9ac-f6f37498e6bb",

"nonce": "a0da49a5916f3cf9a4fc7432782dba443f7a0e5dafce19f8c919b3e6a1ef67f6",

"iat": 1664739447,

"auth_time": 1664699840,

"oid": "*******",

"given_name": "Gabriel",

"tfp": "B2C_1_susi"

}

It is my understanding that there should be a key of "x5t" containing the public key I can use to validate the signature.

When I run the code below to verify my signature it comes back as invalid..which confuses me because I know the token came from AAD.

from azure_ad_verify_token import verify_jwt

azure_ad_app_id = ‘*******’

azure_ad_issuer = ‘https://exampletenant.b2clogin.com/0867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/’

azure_ad_jwks_uri = ‘https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/discovery/v2.0/keys?appid=*********’

payload = verify_jwt(

token='<AZURE_JWT_TO_VERIFY_HERE>',

valid_audiences=[azure_ad_app_id],

issuer=azure_ad_issuer,

jwks_uri=azure_ad_jwks_uri,

verify=True,

)

I am at a complete loss and have not been able to find any answers. Please help when you can thanks in advance.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    So not a complete answer but you can check out this repo https://github.com/mpdavis/python-jose Import this module "pip install python-jose[cryptography]" and you can use the code below. Should return True if the signature is valid and the decrypted payload.

    token = "Your base 64 id_token here"
rsa_key = {
    "kty": "RSA",
    "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk",
    "use": "sig",
    "alg": "RS256",
    "n": "your modulus",
    "e": "your exponent"  #for example "AQAB"
}
key = jwk.construct(rsa_key)
message, encoded_sig = token.rsplit('.', 1)
decoded_sig = base64url_decode(encoded_sig + '=' * (4 - len(encoded_sig) % 4)) # looks weird, but without added padding I got errors
res = key.verify(bytes(message, "UTF-8"), decoded_sig)
# jwt.decode(token=token, key=key.to_pem().decode(), algorithms= 'RS256') # with PEM key
allowed_aud = "22b52070-255a-4de8-b9ac-f6f37498e6bb"
payload = jwt.decode(token, rsa_key, audience=allowed_aud,algorithms='RS256') # with JWK
print(res)
print(payload)

  2. 0

    trying to validate my token using this code from MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-python

    I grab the id_token from the returned dictionary which is base64 encoded

    So not a complete answer but you can check out this repo https://github.com/mpdavis/python-jose

    You should not need to use Python-Jose.

    The recent versions of MSAL Python library are able to also return a id_token_claims from the returned dictionary. Those claims are payload that has already been validated for you, so you do not need to.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search