Validating Azure B2C Token in app that didn't authenticate user

Question

I have a scenario whereby, a user would sign in/sign up to Azure AD B2C from a frontend application. There after they would make calls to an API application (with a JWT token) separate from this frontend. The requirement is that the API application validates a user's token and decides whether to execute the request. I can send the JWT token from frontend to API using the auth header. I can receive it in the API also. The challenge is to now validate that this token is not faked by a man-in-the-middle or just being abused by someone who got hold of it. I know each token comes with a timestamp and can be checked for expiration. However, this is not sufficient. I need to check it against Azure AD B2C somehow.

Update: the API is a NodeJs based Azure Functions app

Answer 1

You can validate the signatures of the token in your API app. A Token is signed by asymmetric keys.

Every user flow in AzureB2C has a associated metadata document which has all the details about the keys in the tag "jwks_uri"

"jwks_uri": "https://xxxxxx.b2clogin.com/xxxxxxxxx.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_pe",

you can fetch the key details from the link under jwks_uri tag and use it to validate the signature. Also remember these keys are rotated so you need to get the latest once every 24 hours.

Sample :- https://github.com/azure-ad-b2c/samples/tree/master/policies/user_info

Doc https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview

Answer 2

See this sample. The API is protected using the UseOAuthBearerAuthentication to verify the signature of the token. All Azure AD B2C tokens are signed JWTs. The sample code will find the metadata endpoint of your policy+tenant combination, and use the public key to ensure that the token signature is valid/unmodified and has been signed by the private keyholder (AAD B2C)