Search code examples
azure-active-directoryazure-ad-msal

Is it possible to validate an AzureAd token by http request?

I have been tasked with validating AzureAd tokens in an existing API without adding additional dependencies to the project. Is it possible to validate a token by making an http request to azure and passing along the token?

I know that my test configuration that leverages the Microsoft.Identity.Web package (which I am asked to avoid for the final result), in additional to the ClientId, TenantId, and scopes has the Instance as https://login.microsoftonline.com/, so I assume an underlying http call is being made.

Is there any documentation to show how I could manually build such an http request to validate the token that way?

Thanks!

Solution

  • No, there is no endpoint that does that.

    What happens under the hood:

    1. You provide the library the Authority, for example https://login.microsoftonline.com/common/v2.0
    2. The library (basic JWT/OpenID Connect authentication provider or Microsoft.Identity.Web) constructs the metadata URL by adding /.well-known/openid-configuration to the end: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
    3. The metadata URL is loaded at startup. It contains another URL in the jwks_uri property of the JSON, for example: https://login.microsoftonline.com/common/discovery/v2.0/keys
    4. This URL is then also loaded to get the public signing keys
    5. Using the signing keys, the library can verify the token signature is valid and the token has not been modified. It does this by looking at the kid (key id) in the token header part and finds the matching key from the keys it loaded. Then it's a matter of applying asymmetric cryptography stuff.
    6. It then checks the issuer (iss), validity start time (iat), expiry time (exp) + potentially some other things
    7. You will have provided the library at least with a valid audience in addition to the authority. It also checks that the audience (aud) matches this.

    So the token validation only requires the OpenID Connect metadata + the public signing keys for the key pairs that Azure AD might use to sign tokens. After these are loaded, the app does not need a connection to Azure AD to validate tokens. Usually libraries do reload the metadata and signing keys once in a while, since keys can change at times, though quite rarely.