vmurin
commented
3 months ago Hi,
first of all - this question is actually not related to this library. Library transfers the tokes AS IS
What have you used as TENANT_ID? Have you tried "common"? Some other clues you could find under following links:
https://learn.microsoft.com/en-us/answers/questions/1359059/signature-validation-of-my-access-token-private-ke https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-the-signature
Two last documents state, that in the most cases comparing "kid" claim is enough to be sure - the signature is created with the right key. Check another approaches to do cryptographic full verification.
I close the issue as not directly related to the library code.
Hi there,
I have an API that takes the accessToken from the sign in prompt as an Authorization header, and i'm using Microsoft's public keys available at https://login.microsoftonline.com/TENANT_ID/discovery/keys to verify that the token is legit. However, attempts to do this result in it returning an invalid signature, which it also does on
jwt.io.I've also tried generating a .pem certificate using the public key that matches the
kidthrough node's crypto package, but also didn't have success there.Any ideas?