How to validate Azure Access Token in python
It seems like a simple process and already lots of libraries out there but for some reason I cannot make it work. I am very new to Azure and not a native English speaker so I might use some terminologies wrong, bear with me.
I am developing a tool with python3.10 for internal use and I need to authenticate users. Our Azure team has registered the web app (single tenant) for me and gave me the tenant id, client id and client secret. End user can use Microsoft provided library (ms-identity) and the sample code (ms-identity-python-webapp)to get the Access Code(password flow) and send it to my code. Let's skip why we are doing it this way and security concerns. My question is how can I validate the access token? Googling returns some solutions using jwt module or python module called azure-ad-verify-token but none of them work for me. I also, saw a step by step instruction on how find the public key from "login.microsoftonline.com/{tenant id}/discovery/v2.0/keys" and add Begin certificate/End certificate to access token but jwt.decode function always returns "Signature verification failed". Can someone help me understand what I am doing wrong?
jwt.decode(
access_token,
public_key, # public key found in discovery/v2.0/keys "-----BEGIN CERTIFICATE-----\nMII...
algorithms='RS256',
audience=client_id,)
You will face this issue if you are generating token for Microsoft Graph API:
In python:
And getting this error is normal behavior.
In Jwt.io website:
Even here we are getting Invalid Signature:
This can be resolved when you generate token for custom API in my case I exposed an API and added scope and followed SO-Thread:
Now added permissions like below:
And then grant permission:
Now used the python code taken from SO-Thread .
And then when I run the code I got output as expected:
"grant_type": "password",
"client_id": f"{client_id}",
"client_secret": f"{client_secret}",
"scope": "api://743-ac99-9e/custom_scope",
"username":"m9.onmicrosoft.com",
"password":"Welc3"
Now checked in jwt.io website:
Note:
The Graph API access tokens cannot be validated because they are not intended for the application. To check any permission for access token, you can use Expose API method to validate it.
- matplotlib 3D scatter plot alpha varies when viewing different angles
- How to write very long string that conforms with PEP8 and prevent E501
- Getting Home Directory with pathlib
- how to avoid bot detection on websites using selenium python
- Python mock to create a fake object return a dictionary when any of its attributes are used
- Polars vs. Pandas: size and speed difference
- How to mock.patch a class imported in another module
- Python - error cannot determine truth value of Relational (Newton-Raphson)
- ProcessPoolExecutor logging fails to log inside function on Windows but not on Unix / Mac
- SQLAlchemy ORM Insert or Update when importing from JSON
- django managers vs proxy models
- Pytroch clamp for complex values
- For every identifier select only rows with largest order column
- truth value for Expr is ambiguous in with_columns ternary expansion on dates
- Remove equal characters from two python strings
- Python pyad module can't set UPN
- Macro VS Micro VS Weighted VS Samples F1 Score
- Printing a Tree data structure in Python
- How to fix/reset decreasing timestamps while preserving gaps in time-series data for CNN training?
- Test that module is NOT imported
- Pyserial module isn't installed on PATH
- Print a multiplication table in Python
- Python: ModuleNotFoundError: No module named 'xyz'
- Receiving Import Error: No Module named ***, but has __init__.py
- PyQt5 QProgressBar border radius issue
- URL-encoding and -decoding a string in Python
- Fastest way to find the smallest possible sum of the absolute differences of pairs within a single array?
- Flask: Update Code Reference for: current_app._get_current_object()
- Export Charts from Excel as images using Python
- Align yaxis label spanning two axes with yaxis labels of one axes in subplots