AAD B2C MSAL for python Token Validation without the public key in JWKS_URI
Question:
Hello Everyone I could REALLY use some help on this.
When trying to validate my token using this code from MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-python
cache = _load_cache() # This web app maintains one cache per session
cca = _build_msal_app(cache=cache)
accounts = cca.get_accounts()
if accounts: # So all account(s) belong to the current signed-in user
result = cca.acquire_token_silent(scope, account=accounts[0])
_save_cache(cache)
return result
I grab the id_token from the returned dictionary which is base64 encoded
And it returns a header of:
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}
Payload of:
{
"exp": 1664743047,
"nbf": 1664739447,
"ver": "1.0",
"iss": "https://.b2clogin.com/*/v2.0/",
"sub": "*******",
"aud": "22b52070-255a-4de8-b9ac-f6f37498e6bb",
"nonce": "a0da49a5916f3cf9a4fc7432782dba443f7a0e5dafce19f8c919b3e6a1ef67f6",
"iat": 1664739447,
"auth_time": 1664699840,
"oid": "*******",
"given_name": "Gabriel",
"tfp": "B2C_1_susi"
}
It is my understanding that there should be a key of "x5t" containing the public key I can use to validate the signature.
When I run the code below to verify my signature it comes back as invalid..which confuses me because I know the token came from AAD.
from azure_ad_verify_token import verify_jwt
azure_ad_app_id = ‘*******’
azure_ad_issuer = ‘https://exampletenant.b2clogin.com/0867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/’
azure_ad_jwks_uri = ‘https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/discovery/v2.0/keys?appid=*********’
payload = verify_jwt(
token='<AZURE_JWT_TO_VERIFY_HERE>',
valid_audiences=[azure_ad_app_id],
issuer=azure_ad_issuer,
jwks_uri=azure_ad_jwks_uri,
verify=True,
)
I am at a complete loss and have not been able to find any answers. Please help when you can thanks in advance.
Answers:
So not a complete answer but you can check out this repo https://github.com/mpdavis/python-jose
Import this module "pip install python-jose[cryptography]"
and you can use the code below. Should return True if the signature is valid and the decrypted payload.
token = "Your base 64 id_token here"
rsa_key = {
"kty": "RSA",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk",
"use": "sig",
"alg": "RS256",
"n": "your modulus",
"e": "your exponent" #for example "AQAB"
}
key = jwk.construct(rsa_key)
message, encoded_sig = token.rsplit('.', 1)
decoded_sig = base64url_decode(encoded_sig + '=' * (4 - len(encoded_sig) % 4)) # looks weird, but without added padding I got errors
res = key.verify(bytes(message, "UTF-8"), decoded_sig)
# jwt.decode(token=token, key=key.to_pem().decode(), algorithms= 'RS256') # with PEM key
allowed_aud = "22b52070-255a-4de8-b9ac-f6f37498e6bb"
payload = jwt.decode(token, rsa_key, audience=allowed_aud,algorithms='RS256') # with JWK
print(res)
print(payload)
trying to validate my token using this code from MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-python
I grab the id_token from the returned dictionary which is base64 encoded
So not a complete answer but you can check out this repo https://github.com/mpdavis/python-jose
You should not need to use Python-Jose.
The recent versions of MSAL Python library are able to also return a id_token_claims from the returned dictionary. Those claims are payload that has already been validated for you, so you do not need to.
Hello Everyone I could REALLY use some help on this.
When trying to validate my token using this code from MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-python
cache = _load_cache() # This web app maintains one cache per session
cca = _build_msal_app(cache=cache)
accounts = cca.get_accounts()
if accounts: # So all account(s) belong to the current signed-in user
result = cca.acquire_token_silent(scope, account=accounts[0])
_save_cache(cache)
return result
I grab the id_token from the returned dictionary which is base64 encoded
And it returns a header of:
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}
Payload of:
{
"exp": 1664743047,
"nbf": 1664739447,
"ver": "1.0",
"iss": "https://.b2clogin.com/*/v2.0/",
"sub": "*******",
"aud": "22b52070-255a-4de8-b9ac-f6f37498e6bb",
"nonce": "a0da49a5916f3cf9a4fc7432782dba443f7a0e5dafce19f8c919b3e6a1ef67f6",
"iat": 1664739447,
"auth_time": 1664699840,
"oid": "*******",
"given_name": "Gabriel",
"tfp": "B2C_1_susi"
}
It is my understanding that there should be a key of "x5t" containing the public key I can use to validate the signature.
When I run the code below to verify my signature it comes back as invalid..which confuses me because I know the token came from AAD.
from azure_ad_verify_token import verify_jwt
azure_ad_app_id = ‘*******’
azure_ad_issuer = ‘https://exampletenant.b2clogin.com/0867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/’
azure_ad_jwks_uri = ‘https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/discovery/v2.0/keys?appid=*********’
payload = verify_jwt(
token='<AZURE_JWT_TO_VERIFY_HERE>',
valid_audiences=[azure_ad_app_id],
issuer=azure_ad_issuer,
jwks_uri=azure_ad_jwks_uri,
verify=True,
)
I am at a complete loss and have not been able to find any answers. Please help when you can thanks in advance.
So not a complete answer but you can check out this repo https://github.com/mpdavis/python-jose
Import this module "pip install python-jose[cryptography]"
and you can use the code below. Should return True if the signature is valid and the decrypted payload.
token = "Your base 64 id_token here"
rsa_key = {
"kty": "RSA",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk",
"use": "sig",
"alg": "RS256",
"n": "your modulus",
"e": "your exponent" #for example "AQAB"
}
key = jwk.construct(rsa_key)
message, encoded_sig = token.rsplit('.', 1)
decoded_sig = base64url_decode(encoded_sig + '=' * (4 - len(encoded_sig) % 4)) # looks weird, but without added padding I got errors
res = key.verify(bytes(message, "UTF-8"), decoded_sig)
# jwt.decode(token=token, key=key.to_pem().decode(), algorithms= 'RS256') # with PEM key
allowed_aud = "22b52070-255a-4de8-b9ac-f6f37498e6bb"
payload = jwt.decode(token, rsa_key, audience=allowed_aud,algorithms='RS256') # with JWK
print(res)
print(payload)
trying to validate my token using this code from MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-python
I grab the
id_tokenfrom the returned dictionary which is base64 encoded
So not a complete answer but you can check out this repo https://github.com/mpdavis/python-jose
You should not need to use Python-Jose.
The recent versions of MSAL Python library are able to also return a id_token_claims from the returned dictionary. Those claims are payload that has already been validated for you, so you do not need to.