Verifying signature of JWT issued by Azure AD

AzureAD / azure-activedirectory-library-for-js

The code for ADAL.js and ADAL Angular has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/adal-angular

Apache License 2.0

627 stars 374 forks source link

Verifying signature of JWT issued by Azure AD #929

Closed nominds closed 3 years ago

nominds commented 3 years ago

Does ADAL.JS has functionality to validate signature of the token issued by Azure AD using the public key ( referring to jwks_uri ). If yes, then how do I achieve same using ADAL.JS. I have written a SPA and if I try to hit jwks_uri endpoint I receive CORS issue.

jasonnutter commented 3 years ago

@nominds No, it does not. Tokens should only be validated by their intended audience (i.e. the resource defined in teh aud claim). Our passport-azure-ad library can be used to do that: https://www.npmjs.com/package/passport-azure-ad

nominds commented 3 years ago

Thanks @jasonnutter for quick response.

aud claim is nothing but a client_id, right ? I remember seeing adal.js checks if client_id matches the aud claim then only it proceeds. Library even validates other claims. But I did not find code where it validates signature to ensure if the token is not tampered.

Do you know if MSAL supports validating token's signature using the public key ?

jasonnutter commented 3 years ago

@nominds No, ADAL.js and MSAL.js do not perform signature validation, as the signature should be verified by the resource the token is intended for (e.g. Microsoft Graph, custom web API).

nominds commented 3 years ago

So the web API consuming the token should connect to jwks_uri to validate the token signature.