Home > Back-end >  Microsoft JWT token validation
Microsoft JWT token validation

Time:10-06

I receive a JWT token (ID token) how do I validate it correctly? As I understand it, Microsoft uses an asynchronous signature for the JWT token, so I have two questions: Where can I get the public key for verification? And secondly, how can I use it for verification?

P.S. why does google have an official token validation library, but microsoft does not?

I need to verify tokenId token received from MS Azure AD The token itself, I get on the Angular client, which is then sent to the server, where it must be verified. Below is an example of code that displays tokenId to the console.

export class AccountComponent implements OnInit {

  constructor(private tokenService: TokenStorageService, private readonly _authService: SocialAuthService) { }
  
  ngOnInit(): void {
    this._authService.authState.subscribe(this.externalAccountLogin);
  }

  signInWithMicrosoft(){
    this._authService.signIn(MicrosoftLoginProvider.PROVIDER_ID);
  }

  externalAccountLogin(user: SocialUser): void{
    switch(user.provider){
      case MicrosoftLoginProvider.PROVIDER_ID:
        console.log(user.idToken);
        break;
      case GoogleLoginProvider.PROVIDER_ID:
        //ToDo
        break;
    }
  }
}

CodePudding user response:

It is very common and there are lot of articles to implement this. Please find the below

JWT Implementation in Asp.Net Core

JWT Token Implementation .Net 6.0

Creation of JWT Token .Net

Microsoft also has library to validate jwt token.

How JWT Validate Token

There are three major part in tokens :- Token Type & Algo, Payload and Last one Signature.

When you add Jwt Configuartion in your applicationof .Net Core then

  1. Validate Token

    First it check that signature is correct or not. if someone tamper the signature then throw exception for token is not valid.

For this we provide validation parameter such as key, issuer and audience in TokenValidationParameters

services.AddAuthentication(x =>
    {
        x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    }).AddJwtBearer(o =>
    {
        var Key = Encoding.UTF8.GetBytes(Configuration["JWT:Key"]);
        o.SaveToken = true;
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            ValidateAudience = false,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = Configuration["JWT:Issuer"],
            ValidAudience = Configuration["JWT:Audience"],
            IssuerSigningKey = new SymmetricSecurityKey(Key)
        };
    });

  1. Need to valid payload or claim

    We can create middleware to validate payload or claim. And Validate by fetching data from payload and create logic validate that.

Validate JWT Token of Azure AD

A. Can Use Microsoft Graph API to validate that.

  1. Enable ASP.NET Core web app to sign in users and call Microsoft Graph
  2. Protect Aspnet Core Application

B. OR Follow the same Steps which mentioned above by using TokenValidationParameters. Key, issuer and audience are also available in JWT TokenId of Azure AD. Get from azure portal and copy in startup in TokenValidationParameters.

CodePudding user response:

why does google have an official token validation library, but microsoft does not?

Have you try microsoft.identity.web package. https://learn.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web

I could authenticate my API with it.

Page link:https//www.codepudding.com/Backend/566988.html

Prev:Assigning a Property to a Lambda Expression inside an Expression Tree
Next:How do you get a new authentication token with a Typed Client in Polly?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding