Validating Azure AD Token signature fails JAVA

后端 未结 1 795
日久生厌
日久生厌 2020-12-31 19:56

I am struggling to validate an Azure AD token signature.

When I look up the correct key description in the \"jwks_uri\" field under

https://login.microsofton

1条回答
  •  伪装坚强ぢ
    2020-12-31 20:23

    First example

    Modulus and Exponent (n and e) in https://login.microsoftonline.com/common/discovery/keys are encoded in base64url and not in base64, so the code to decode them should be

    byte[] modulusBytes = Base64.getUrlDecoder().decode(n);
    BigInteger modulusInt = new BigInteger(1, modulusBytes);
    

    Do not use old com.sun.misc.BASE64Decoder

    If the JWT is signed you should not use JWTParser.plaintextJwt(). According to documentation

    plaintextJwt: a compact serialized unsigned plaintext JWT string

    Use instead parseClaimsJws or parsePlaintextJws. The second method only if the payload is a string non-JSON

    Second example

    The second example is basically right. I assume X509CertUtils.parse(certChain) is similar to

     InputStream in = new ByteArrayInputStream(certChain);
     CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
     X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);
    

    Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent

    There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys

    0 讨论(0)
提交回复
热议问题