Search code examples
javaspringazureoauth-2.0nimbus

Azure OAuth2: can't validate access token

I am trying to validate the access token provided by Azure OAuth2. I am using nimbus to validate the token, however I keep getting the "invalid signature" error.

I read on some pages that if the access token contains a nonce, then I won't be able to validate it since it's meant to be used internally by Microsoft only. I followed the instructions on this page (https://authguidance.com/azure-ad-troubleshooting/) to get the acecss token without a nonce, but it doesn't work.

I can see that the ID token doesn't contain a nonce, but the access token does.

Does anyone know how I can get an access token (withouth a nonce) that I can validate using nimbus?

Solution

  • Note that, if you validate access token generated with Microsoft Graph APIs as scope, you will get "Invalid Signature" error as it has nonce claim

    I tried to reproduce the same in my environment and got below results:

    I registered one Azure AD application and added Microsoft Graph API permissions as below:

    enter image description here

    Now I generated access token and id token using authorization code flow via Postman with below parameters:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: https://graph.microsoft.com/User.Read openid
code:code
redirect_uri: https://jwt.ms
client_secret: <secret>

    Response:

    enter image description here

    When I decoded the above access token in jwt.io website, I too got Invalid Signature error as it has nonce claim like below:

    enter image description here enter image description here

    To get access token without nonce claim, change scope value to custom API instead of Microsoft APIs.

    I added Application ID URI and new scope named Custom.Read by selecting Expose an API in my application like this:

    enter image description here

    You can find above scope in My APIs of your application with same name like this:

    enter image description here

    Now, add that scope in API permissions of your application like this:

    enter image description here

    Make sure to grant admin consent to the added permission like below:

    enter image description here

    To get code, I ran below authorization request in browser like this:

    https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id= <appID>
&response_type=code
&redirect_uri= https://jwt.ms
&response_mode=query
&scope=api://<appID>/.default
&state=12345

    Response:

    enter image description here

    Now, I generated access token by changing scope to custom API using authorization code flow via Postman like below:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: api://<appID>/Custom.Read openid
code:code
redirect_uri: https://jwt.ms
client_secret: <secret>

    Response:

    enter image description here

    When I decoded the above access token in jwt.io website, it does not have nonce claim and signature verified successfully like below:

    enter image description here enter image description here