vasivara-MSFT
commented
6 years ago @wpo365 Thanks for the feedback. Please provide the link to the document that you are referring to.
Closed wpo365 closed 6 years ago
vasivara-MSFT
commented
6 years ago @wpo365 Thanks for the feedback. Please provide the link to the document that you are referring to.
wpo365
commented
6 years ago @vasivara-MSFT I messed up "signed" and "encrypted". Because OpenConnect ID tokens created by a corporate Azure AD tenant are encrypted I wrongly assumed the B2C tokens are also encrypted but I there is no key in the metadata file. But I've now found the documentation stating that "Because the JWTs issued by Azure AD B2C are signed but not encrypted, you can easily inspect the contents of a JWT to debug it." ... So everything is clear!
According to the documentation the Azure AD B2C JWT token's payload is signed with an algorithm indicated in the JWT token's header. However, when I analyze the payload it's merely Base64 encoded but not signed using a public key. Is this undocumented but default behavior and is there a way to find out whether the token is signed other than trial and error?