Based on this article: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect, I did a sample with OpenId connect protocol.
The below link says that just receiving an id_token is not sufficient to authenticate the user; you must validate the signature and verify the claims in the id_token per your app's requirements.
Can anyone help me to guide with some code sample how to validate the signature and verify the claims in the id_token.
The OpenId Conenct middleware takes care of validating the id_token for you. See the "about the code" section of the sample. I am pasting here the relevant parts:
This sample shows how to use the OpenID Connect ASP.Net OWIN middleware to sign-in users from a single Azure AD tenant. The middleware is initialized in the Startup.Auth.cs file, by passing it the Client ID of the application and the URL of the Azure AD tenant where the application is registered. The middleware then takes care of:
*Downloading the Azure AD metadata, finding the signing keys, and finding the issuer name for the tenant.
*Processing OpenID Connect sign-in responses by validating the signature and issuer in an incoming JWT, extracting the user's claims, and putting them on ClaimsPrincipal.Current.
*Integrating with the session cookie ASP.Net OWIN middleware to establish a session for the user.
