Microsoft public keys only validate id token and not access tokens

Question

I'm trying to validate an access token in my Python app following this code sample from Microsoft So in line 99 it's decoding the token using python-jose library:

payload = jwt.decode(
                    token,
                    rsa_key,
                    algorithms=["RS256"],
                    audience=API_AUDIENCE,
                    issuer="https://sts.windows.net/" + TENANT_ID + "/"
                )

But although at line #72 it says:

"""Determines if the Access Token is valid"""

It only works if I pass the id token to it. Every time I pass the access token, I get this error:

JWTError: Signature verification failed

Seems like the public keys in this urls:

https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys https://login.microsoftonline.com/common/discovery/v2.0/keys

work only for ID Tokens.

I really need to validate the access token because its coming from a request and an API with bearer token authorisation. How can I validate the access token instead of id token?

Answer 1

So, thanks to @Gary I could find the solution. Reading his blog about the same issue, I found out that:

If you get a token with a nonce field in the JWT header, then it is intended for Microsoft APIs to validate, and will always fail standard signature based validation.

To get an access token for custom APIs, I had to define a custom scope in my registered app in Azure portal.

And when I added the new scope in my OIDC configurations in my app, I got a new access token which can be verified by jwt.