CODEWITHSUNDEEP
azure-ad-b2cazure-ad-msal
Ben Gannaway
Ben Gannaway

Reputation: 1093

MSAL access token invalid signature

I'm using MSAL to get an access token. It works fine and I'm able to log in and retrieve my Active Directory user.

However when I'm having problems using it to access an API and I have noticed that when I inspect the token at https://jwt.io/ it says INVALID SIGNATURE.

Is this a problem? If so how can I fix it?

Upvotes: 8

Views: 7289

Answers (2)

Feargal Kavanagh
Feargal Kavanagh

Reputation: 126

Adding my solution as when searching for my issue I was brought here. My problem was that even though everything seemed to work (able to login, MSAL got the token, MSAL added it to the Headers for a protected resource api call etc.). However, when the api call was made the api responded with 401 Unauthorized. Usure why I decoded the token and it warned me of invalid signature.

In the end the issue was that on my protected resource, I had "user.read", as well as my scope for the api -> api://clientId/scope So for some reason the additional user.read scope broke something in the API. Not sure why as the API has the user.read API permission. Regardless, it might be something to double check

Upvotes: 1

Chris Padgett
Chris Padgett

Reputation: 14724

No, it isn't a big concern because JWT.io doesn't have the public key, but you can verify the token signature by:

  1. Copying the public key from the "keys" endpoint in Azure AD B2C.
  2. Converting this public key from the JSON Web Key (JWK) format to the PEM format.
  3. Pasting the public key to the "Verify Signature" field in JWT.io.

The keys endpoint is:

https://login.microsoftonline.com/te/{tenant}/{policy}/discovery/v2.0/keys

The public key can be converted from the JWK format to the PEM format using tools such as the jwt-to-pem package.

Upvotes: 11

Related Questions