Closed d3v1l401 closed 3 years ago
Alright, I solved the problem and I see this is a problem that SO MANY developers are complaining about because there's a lack of documentation by Microsoft themselves.
It appears the discovery/keys endpoint exposes public keys produced by a different set for each application, or at least so I suspect, even if the KID is the same the public key will be somehow different from the one our application expects.
So how do I actually fetch god damn public key I need?
You're gonna cry now: get into your AAD application panel > Expose an API On the top part of your section panel you'll see the "Application URI" field, it's smaller than you'd expect, this is used to create an application ID URI path that will be needed to override the scope with the application's default ones (API permissions).
One you've created the App ID URI, copy it and put it into the scope
parameter during the authentication phase and append the /.default
path:
That's it, from this moment the KID will match your Keys indexing page by MS AND will also succeed the authentication using the RSA 256 key.
That's it, it will work now. Feel free to reply to this issue if it is unclear, I'm in no way an AAD expert but f**k MS for wasting my 5 working days on this.
Hey! Thanks for share. I still have a question: Where I can find the value for pubkey variable? Is it in azure? Thank you
Hey! Thanks for share. I still have a question: Where I can find the value for pubkey variable? Is it in azure? Thank you
Yes it is in Azure. Please check the second comment where I posted the solution.
Remember the public key is actually 'x5c' parameter in the rotated keys.
Greetings,
I'm implementing the JWT verification process for an application in Azure AD: once the JWT access token acquired by the client is sent to the backend, the backend needs to verify the token signature first.
To do so, I use the key rotations endpoint by Microsoft over here, of course the "common" path is replaced by the application's Tenant ID.
Every time I verify the JWT it fails the verification from jwt-go's Verify(...) function call, I also debugged and stepped in the code to check exactly where the error happens and it appears to be happening from RSA.
I'm unsure if I'm doing something wrong or if I misunderstood something entirely, anyone who would be kind to help me would be greatly appreciated <3
Here the code:
The output of this, with the correct JWT token acquired manually by calling the authentication endpoint by MS, is:
crypto/rsa: verification error
This is what I've been doing so far that failed:
to this one
Of course without success, it was a desperate attempt.