I have an angularjs SPA web app which uses ADAL-JS (and adal-angular). It's set up to authenticate vs our corporate AD in MS Azure. The log-in flow seems to work correctly, and the SPA receives an id_token.
Next, when the user clicks a button, the SPA makes a request to a REST API I am hosting on AWS API Gateway. I am passing the id_token on the Authorization: Bearer <id_token>
header.
The API Gateway receives the header as intended, and now has to determine if the given token is good or not to either allow or deny access.
I have a sample token, and it parses correctly on https://jwt.io/ but I have so far failed to find the Public Key or Certificate I should use to verify the signature. I have looked in:
- https://login.microsoftonline.com/{tenantid}/federationmetadata/2007-06/federationmetadata.xml
- https://login.microsoftonline.com/{tenantId}/discovery/keys
- https://login.microsoftonline.com/common/.well-known/openid-configuration (to get the jwks_uri)
- https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
- https://login.microsoftonline.com/common/discovery/keys
- https://login.microsoftonline.com/common/discovery/v2.0/keys
I think I should use the value of the x5c property of the key in https://login.microsoftonline.com/common/discovery/keys matching the kid and x5t properties from the JWT id_token (currently a3QN0BZS7s4nN-BdrjbF0Y_LdMM
, which leads to an x5c value starting with "MIIDBTCCAe2gAwIBAgIQY..." ). However, the https://jwt.io/ page reports "Invalid Signature" (I also tried wrapping the key value with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").
Also, is there a (possibly python) library that can facilitate the verification of a given id_token as in the case above (so that I won't have to go grab the signing key on the fly myself?)... The best I could find (ADAL for python) doesn't seem to provide this feature?