Unable to successfully validate an access token from Microsoft Graph API

Question

I am using the Microsoft Graph API along with Microsoft Authentication Library (MSAL) to acquire access tokens and I can successfully retrieve the access token, id token and refresh token. I can also successfully validate the id token. However, I cannot do the same for the access token as I'm getting this error:

raise InvalidSignatureError('Signature verification failed')
jwt.exceptions.InvalidSignatureError: Signature verification failed

I've reviewed as best as I can the microsoft documentation regarding validation here: Microsoft identity platform access tokens

For validation, I can successfully decode using the jwt.ms site for jwt validation. So I know the tokens are good. I can see from the decode the claims and extract the aud(audience) and iss(issuer). These values are not the same for the id token (which I can successfully validate).

I am using the public keys from the following url as documented:

https://login.microsoftonline.com//discovery/keys

So, what I missing in regards to validating the access token? (if I can validate the id token with no issues). How else can i troubleshoot this?

Jim Xu · Accepted Answer

As far as I knew, we do not need to validate Microsoft graph signature. Because MsGraph recognized an opportunity to improve security for users. They achieved this by putting a ‘nonce’ into the jwt header. The JWS is signed with a SHA2 of the nonce, the nonce is replaced before the JWS is serialized. To Validate this token, the nonce will need to be replaced with the SHA2 of the nonce in the header. Now this can change since there is no public contract. So When calling Microsoft Graph, you should treat access tokens as opaque. For more details, please refer here and here

Unable to successfully validate an access token from Microsoft Graph API

Answers (2)

Related Questions