stackoom
  简体   繁体   中英

How to verify an Azure OAuth Access JWT Token in native Javascript without using a library?

 原文  2020-01-27 14:54:01       javascript/ azure/ oauth-2.0/ jwt

Question

I have an OAuth Access Token (its from Azure). I would like to verify the signature.

I've decoded the token

Header

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "abc123",
  "kid": "abc123"
}

And the payload

{
  "aud": "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "iss": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
  "iat": 1580132587,
  "nbf": 1580132587,
  "exp": 1580136487,
  "acct": 0,
  "acr": "1",
  "aio": "xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx==",
  "amr": [
    "pwd"
  ],
  "appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxf",
  "appidacr": "0",
  "ipaddr": "yyy.yyy.yyy.yyy",
  "name": "test",
  "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "scp": "user_impersonation",
  "sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "unique_name": "test@mycompany.onmicrosoft.com",
  "upn": "test@mycompany.onmicrosoft.com",
  "uti": "xxxxxxxxxxxxx-xxxxxxxxx",
  "ver": "1.0"
}

(After verifying the intended audience (aud)) I need to verify the signature. To do that I first need to calculate the signature. To do that

  1. I need to call the Azure metadata document to confirm the public key in the header.

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration

  1. From that I get the public keys (JWKS URI), eg

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys

  1. This gives me an array

    [{ "kty": "RSA", "use": "sig", "kid": "abc123", "x5t": "abc123", "n": "...", "e": "...", "x5c": [..."], "issuer": " https: //login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, { "kty": "RSA", "use": "sig", "kid": "...", "x5t": "...", "n": "....", "e": "...", "x5c": ["."], "issuer": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, ]

  2. I check that kid and x5t match the fields in the header.

Questions

  1. How to calculate the actual signature? In my case the signing algorithm is RS256, so I got to do something like this

RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), public_key)

  1. What is the public_key?
  2. And in native Javascript is there a function RSASHA256 ?

1 answers

solution1
 2  2020-01-27 18:10:54

Get the x5t that matches the kid of the received token. That is the public key, though it typically needs translating to PEM format.

Most people then use a certified library to validate the signature with the public key. Here is some code of mine that does that to validate an Azure token.

By native JavaScript I assume you mean NodeJS, since access tokens are validated by APIs and not UIs.

Ultimately I believe libraries like jsonwebtoken call underlying operating system crypto code - not for the faint hearted ..

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to decode jwt token in javascript without using a library? How to send and verify refresh token after expiration of jwt token without refreshing page Azure AD using refresh token to access access token using javascript how to verify jwt token in nodejs / never expire? How to get oauth access token using puppeteer? Using JWT with Azure Functions (WITHOUT using Active Directory) in nodejs javascript Verify if Token JWT is valid Decode Jwt Token in Node - without Library getting Id_token using Azure AD Authentication Library(ADAL in angular 5), but how to get access token from Id_token? OAuth Authentication - Access Token using JavaScript (CORS Policy) error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM