Validating Azure AD Token signature fails JAVA

Question

I am struggling to validate an Azure AD token signature.

When I look up the correct key description in the \"jwks_uri\" field under

https://login.microsofton

Answer 1

First example

Modulus and Exponent (n and e) in https://login.microsoftonline.com/common/discovery/keys are encoded in base64url and not in base64, so the code to decode them should be

byte[] modulusBytes = Base64.getUrlDecoder().decode(n);
BigInteger modulusInt = new BigInteger(1, modulusBytes);

Do not use old com.sun.misc.BASE64Decoder

If the JWT is signed you should not use JWTParser.plaintextJwt(). According to documentation

plaintextJwt: a compact serialized unsigned plaintext JWT string

Use instead parseClaimsJws or parsePlaintextJws. The second method only if the payload is a string non-JSON

Second example

The second example is basically right. I assume X509CertUtils.parse(certChain) is similar to

 InputStream in = new ByteArrayInputStream(certChain);
 CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
 X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);

Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent

There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys