Validating ID token with signature in Azure Active Directory B2C

1
votes

I'm having trouble verifying the signature of ID tokens obtained during authentication in Azure Active Directory B2C.

I'm looking at this set of instructions: [ https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-tokens/#token-validation ][Azure AD B2C preview: Token reference > Token validation]

So, I'm trying different Python 3 packages to try to verify the signature, and all of them seem to need the JWT, which is the ID token, and the 'key' or 'secret' which is the public key to verify the signature.

To be clear, Azure Active Directory B2C ID Tokens are signed using RS256:

{'alg': 'RS256'} // Found in header of ID token

I'm using this link to fetch the keys:

https://login.microsoftonline.com/<b2c_directory>.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_sign_in

This link returns a JSON string, which contains the following keys: "kid", "use", "kty", "n", "e"

From what I read, the "n" and "e" keys are related to the public key needed to verify the signature. I have tried both individually and concatenated (n+e and e+n), and I am not able to verify that signature.

I am using PyJWT, but I don't mind using other Python 3 packages as long as it verifies the signature successfully, even with adal if anyone has figured out how to get that to work to authenticate using OpenID.

1
pythonazurersajwtazure-active-directory
So "e" is the exponent, and "n" is the modulus. Anyone know how to combine those to produce a public key suitable for verifying the ID Token signature?Ed Solis
If you have a look here for : load_rsa_pub_key(). github.com/jpadilla/pyjwt/blob/… You may get some idea on how to work with public keys.Brent Schmaltz

1 Answers

1
votes

@Ed, As far as I know, We usually use exponent(short name 'e') and modulus(short name 'n') to generate the public key in RSA signature. You can refer to this page(https://en.wikipedia.org/wiki/RSA_(cryptosystem)):

The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the modulus n and the private (or decryption) exponent d, which must be kept secret. p, q, and φ(n) must also be kept secret because they can be used to calculate d.

Generally, we should encode them and get the int value. I recommend you can refer to the link(https://github.com/jpadilla/pyjwt/blob/c5ee34e86bc42bef60ef6e701df569c2c86a5d5d/tests/keys/init.py ) form ' Brent Schmaltz'. Also you can share how to use the signature in your project. Regards,