Search code examples
spring-bootazurespring-securitysingle-sign-ontoken

How to check signature of a token coming from Azure SSO

I have a frontend which communicates with Azure SSO to login and then get a token as a feedback.

The frontend send the token to my spring boot backend at each request to check the authorization.

But my springboot is not able to check the signature of the token and then get claims of the token as the secret contains Illegal base64 character like "~" (it's the secret generated by Azure when you create new client).

So I have a JwtParser which is used by my SpringBoot Security, with this two methods :

public PublicKey generateJwtKeyDecryption(String jwtPublicKey) throws NoSuchAlgorithmException, InvalidKeySpecException {
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        byte[] keyBytes = Base64.getDecoder().decode(jwtPublicKey);
        X509EncodedKeySpec x509EncodedKeySpec=new X509EncodedKeySpec(keyBytes);
        return keyFactory.generatePublic(x509EncodedKeySpec);
    }

public Claims extractAllClaims(String token) {
    try {
        return Jwts.parserBuilder()
            .setSigningKey(generateJwtKeyDecryption(secretKey))
            .build()
            .parseClaimsJws(token)
            .getBody();
    } catch (JwtException | IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException e) {
        e.printStackTrace();
        }
        return null;
}

I check the signature of my token thanks to .setSigninKey() , but as I said previously my secret contains illegal base64 charactere.

Just to check I tried to use a "fake" secret key which doesn't contain illegal base64 charactere, and I have the error which tells that signature was incorrect.

Does someone know how I can resolve this issue ? Or if the secret key coming from Azure is actually not the public key to check the signature of the token ? (algorithm is RS256)

Please don't hesitate if you need more information or clarification (sorry for my bad english)

Solution

  • The client secret is not used to verify tokens.

    The public keys from the jwks_uri endpoint are used. You can find the correct URL for you by setting your tenant ID in this URL:

    https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

    Or if you have a multi-tenant app, you can put "common" or "organizations" instead of a tenant ID. From that JSON document you can find the "jwks_uri" property. That URL has the public keys that can be used to verify token signatures.