Invalid Signature of Access Token (Bearer Authentication with Azure Active Directory)

[pavel-at-adamos]

I have the same problem as described in issue #340 - invalid signature for the access_token. I tried everything I could find but nothing seems to work. Maybe someone can point me in the right direction.

Here is my setup:

• I have a VueJS app (with Node.js as backend) and I want to use AAD B2B as a login
• On the frontend I'm doing this redirect first:

  let url = 'https://login.microsoftonline.com/'+TENANT_ID+'/oauth2/v2.0/authorize?'+
  'client_id='+CLIENT_ID+
  '&response_type=code'+
  '&scope=openid offline_access'+
  '&redirect_uri='+window.location.origin+
  '&state='+encodeURIComponent(generateRandomString())+
  '&nonce='+nonce;

• Then I'm sending the code to my backend to exchange it for a token with this request:

  let data = {
  client_id: CLIENT_ID,
  client_secret: CLIENT_SECRET,
  grant_type: 'authorization_code',
  redirect_uri: window.location.origin,
  code: code
  }
  let response = await axios.post(`/${process.env.TENANT}/oauth2/v2.0/token`, data)

• Then I save the token on the frontend in session storage and send it with each request as Authorization header.

But when I use the access_token I get the "invalid signature" error. When I use the id_token it works fine. However I don't want to use the id_token because I want to implement silent refresh and I can only do that with the access_token.

Here is the configuration of my BearerStrategy:

let options = {
    identityMetadata: "https://login.microsoftonline.com/"+envVars.TENANT+"/v2.0/.well-known/openid-configuration",
    clientID: envVars.CLIENT_ID,
    passReqToCallback: false,
    audience: envVars.CLIENT_ID,
    validateIssuer: true,
    issuer: 'https://sts.windows.net/'+envVars.TENANT+'/',
    loggingLevel: 'error',
}
var bearerStrategy = new OIDCBearerStrategy(options,
  function(token, done) {
    console.log(token)
    if (!token.oid) {
      return done(new Error('oid is not found in token'));
    }
    else {
      return done(null, token.unique_name, token);
    }
  }
);

passport.use(bearerStrategy);

I think the problem is that for some reason I'm getting a v1 token back instead of v2. I tried setting "accessTokenAcceptedVersion": 2 in the manifest of the app registration but it didn't work.

What am I doing wrong?

[pavel-at-adamos]

It turned out I was getting a token for the MS Graph API which I couldn't use for my own API. So I had to expose an API for my app and add it to the permissions in AAD. This is a really good tutorial for this case -> https://authguidance.com/2017/12/01/azure-ad-spa-code-sample/