I am trying to verify a signature in Azure AD with Java:
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-storage</artifactId>
<version>8.6.6</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.18.2</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.19.0</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.12.5</version>
</dependency>
And If I try to verify a token, I receive the following error:
The Token's Signature resulted invalid when verified using the Algorithm: SHA256withRSA
Applying the following method:
private boolean verifyJWT(String azureDiscoveryKeys, String token) {
try {
JwkProvider provider = new UrlJwkProvider(new URL(azureDiscoveryKeys));
DecodedJWT jwt = JWT.decode(token);
Jwk jwk = provider.get(jwt.getKeyId());
RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();
Algorithm alg = Algorithm.RSA256(publicKey, null);
JWTVerifier verifier = JWT.require(alg).build();
verifier.verify(token);
return true;
} catch(JWTVerificationException | JwkException | MalformedURLException ex) {
System.out.println(ex.getMessage());
return false;
}
}
Testing the same method with a token provided by MS ADFS, I am able to verify but with Azure AD, I am not able. How to verify the token to avoid this error? How to adapt the code for Azure AD or to add support for SHA256withRSA? What is wrong in my code?
Many thanks in advance
Juan Antonio
CodePudding user response:
You are trying to validate an access token meant for Microsoft Graph API. You should not do that, primarily because it is not meant for your app. They use something a bit different for signing and you can't use the same methods to validate Graph API tokens.
When acquiring tokens, make sure to use scopes defined by your application to receive a token for your app. That one you should be able to validate. If you also need to call MS Graph API, then you need to acquire two tokens.