Steven Muhr
Reputation: 3379
IdToken not signed with AzureAD
I am using Azure AD Connect for authentication & permissioning with OpenId Connect.
I dont understand why I receive a JWT IdToken without signature and an AccessToken with signature from Azure. This is probably due to the "alg=none" property set for IdToken. But why not signing the IdToken too?
Upvotes: 2
Views: 409
Answers (1)
Brian Campbell
Reputation: 2461
Are getting the ID Token directly from Azure's token endpoint? If so, the communication is secured and the host is authenticated via TLS/HTTPS so there's no need to sign or integrity protect the ID Token, which is intended only you (your client).
Upvotes: 4
Related Questions
- Single sign-on flow using JWT for cross domain authentication
- SecurityTokenSignatureKeyNotFoundException when validating JWT signature
- Azure AD OpenId connect integration
- Azure AD authentication failed using idToken or accessToken. Which one should I use?
- OpenID Connect possible with any Microsoft/Office365 account?
- Adding Azure AD authentication to existing .Net MVC app: id_token not being validated
- Validating OpenId IdToken On Each Request
- Azure AD callback is not going to AuthenticateExternalAsync method