I have an OAuth Access Token (its from Azure). I would like to verify the signature.
I've decoded the token
Header
{
"typ": "JWT",
"alg": "RS256",
"x5t": "abc123",
"kid": "abc123"
}
And the payload
{
"aud": "api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"iss": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
"iat": 1580132587,
"nbf": 1580132587,
"exp": 1580136487,
"acct": 0,
"acr": "1",
"aio": "xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx==",
"amr": [
"pwd"
],
"appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxf",
"appidacr": "0",
"ipaddr": "yyy.yyy.yyy.yyy",
"name": "test",
"oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"scp": "user_impersonation",
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"unique_name": "test@mycompany.onmicrosoft.com",
"upn": "test@mycompany.onmicrosoft.com",
"uti": "xxxxxxxxxxxxx-xxxxxxxxx",
"ver": "1.0"
}
(After verifying the intended audience (aud)) I need to verify the signature. To do that I first need to calculate the signature. To do that
- I need to call the Azure metadata document to confirm the public key in the header.
- From that I get the public keys (JWKS URI), e.g.
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys
This gives me an array
[{ "kty": "RSA", "use": "sig", "kid": "abc123", "x5t": "abc123", "n": "...", "e": "...", "x5c": [..."], "issuer": " https: //login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, { "kty": "RSA", "use": "sig", "kid": "...", "x5t": "...", "n": "....", "e": "...", "x5c": ["."], "issuer": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0" }, ]I check that
kidandx5tmatch the fields in the header.
Questions
- How to calculate the actual signature? In my case the signing algorithm is RS256, so I got to do something like this
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), public_key)
- What is the public_key?
- And in native Javascript is there a function RSASHA256 ?
