Search code examples
azurejwtaccess-token

Azure generation token invalid signature


I am trying to generate a JWT using Microsoft Azure. I successfully obtain the token, but when I include it in the header of my REST API request, I get the following error:

Token verification has failed: JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature

Then I used jwt.io to verify the token, and while I was able to see all the claims and information in the JWT, the signature part was marked as invalid.

What could be causing this issue? How can I resolve the "invalid signature" problem when using the JWT generated by Azure?

Here is the information I use to generate token using Postman

Token url

https://login.microsoftonline.com/XXXXXXX/oauth2/v2.0/token

Client_id: CCCCC

Scope: openid profile email

grant_type: password with username and password


Solution

  • Agree with @junnas, Need to request a token using scope defined by your application.

    NOTE: Microsoft Graph API token is not meant to be validated, aud: httos://graph.microsoft.com as it is not for the application validation.

    Using ROPC flow, I tried to generate access token with username and password.

    GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    client_id:ClientID
    client_secret:ClientSecret
    scope:https://graph.microsoft.com/.default
    grant_type:password
    username: <username>
    password: <password>
    
    

    enter image description here

    When I decode the access token with using scope: https:/graph.microsoft.comon https://jwt.io , I got same Invalid Signature error message.

    enter image description here enter image description here

    To resolve the error, you have to avoid validating access token using Microsoft Graph API. You have to validate the access token using your own application or your own custom API.

    Added Application ID URI and I Expose an API like below:

    enter image description here

    You can find above API in API permission blade with the application name only:

    enter image description here

    Now added Exposed API Permission:

    enter image description here

    Granted Admin Consent to the added permission:

    enter image description here

    Now I changed the scope while generating access token

     scope : api://<application-id>/Custom.Read
    

    enter image description here

    Now, When I decode this generated access token at http://jwt.io , with scope : api://<application-id>/Custom.Read , Now I am able validate the access token.

    enter image description here enter image description here

    Reference:

    SO Thread by Gilbert