Access token validation fails if scope is graph.microsoft.com

Question

Received access token from AAD, using below url https://login.microsoftonline.com/gdfdddddd-87dd-497c-b894-xxxxxx/oauth2/v2.0/token

grant_type :client_credentials

client_id :xxxxx-1ff5-4615-8d71-yyyyyy

client_secret:[7aCw]fdsfsfsfds.AC61Fg:cm33

scope : https://vault.azure.net/.default

Validated the above received token using below code manually & it works fine

 IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>("https://login.microsoftonline.com/TestDomain310320.onmicrosoft.com/v2.0/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
            OpenIdConnectConfiguration openIdConfig = AsyncHelper.RunSync(async () => await configurationManager.GetConfigurationAsync(CancellationToken.None));

            TokenValidationParameters validationParameters =
                new TokenValidationParameters
                {
                    ValidIssuer = "https://sts.windows.net/a3d2bff3-87dd-497c-b894-f63befdd7496/",
                    ValidAudiences = new[] { "https://vault.azure.net" },
                    IssuerSigningKeys = openIdConfig.SigningKeys
                };

            SecurityToken validatedToken;
            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            var user = handler.ValidateToken(token, validationParameters, out validatedToken);

Modified parameter Scope:https://graph.microsoft.com/.default & received AAD token successfully but token validation using above code fails with error message "IDX10511: Signature validation failed. Keys tried: '[PII is hidden]'." Verified AAD app with above mentioned client id is having "user.read/user.read.basicall permissions". Why token validation fails if tokens are received from AAD with Scope:https://graph.microsoft.com/.default

Observation:

Token received with scope : https://vault.azure.net/.default

     {
       "typ": "JWT",
      "alg": "RS256",
       "x5t": "YMELHT0gvb0mxoSDoYfomjqfjYU",
       "kid": "YMELHT0gvb0mxoSDoYfomjqfjYU"
      }

While token received with Scope:https://graph.microsoft.com/.default has extra nonce property to avoid replay attack, is it be the reason for token validation failure?

   {
     "type": "JWT",
    "nonce": "wCXLm9rF5Nma2S7OswU44uAVRpVbM_20WrWJkqbWe6Y",
    "alg": "RS256",
   "x5t": "YMELHT0gvb0mxoSDoYfomjqfjYU",
   "kid": "YMELHT0gvb0mxoSDoYfomjqfjYU"
 }

please suggest.

Answer 1

You should not be looking into, or validating tokens that were not issued to your own Apis. The intended receiver, KeyVault and MS Graph will do the necessary validation themselves. You should treat these Access Tokens as an opaque blobs that you stuff into the Authorization header in your calls to these Apis.

An Api owner, Graph or KeyVault can tomorrow can change the claims present in them or even choose to encrypt their tokens and your code will break.

Why are you validating tokens? If you are reading validated tokens of Apis that do not belong to you in your applications as a proof of Authentication, then you are setting yourself up for failure. Also its a security concern as any app in the world which can obtain an Access token for KeyVault or MS graph can pass it your Apis and compromise it.

Here is a discussion for reference - Cannot validate signature. #609

Answer 2

Yes, the error was caused by the nonce field in JWT header.

As far as I know, if we request the access token of graph api, the JWT token will contain the nonce field. And then we can't validate it on our backend(For security reasons, microsoft doesn't allow us to do this operation).