问题
I'm by no means an expert on MSAL/JWT/Graph authentication, but I'm hoping someone can explain this issue more clearly to me, or help me understand if there's a workaround or better approach.
Essentially, there are certain scenarios where I might end up with a Microsoft Graph JWT token. Two examples I can think of easily are using the Microsoft Graph Toolkit or using Tabs SSO in Microsoft Teams. In both cases, I can get relevant identity information for the user from the JWT token I would have already (via Graph Toolkit or via Teams SSO) - their Azure AD Object Id and their Tenant Id. However, I can't use that same token to my own backend API, because, from my research, I can't perform basic token verification against that JWT token. I'd like to be able, for example, to store information against that user and tenant Id combination.
I do understand that I can do my own authentication (e.g. MSAL.js), and I can even use the SAME Azure AD Application by extending its use, but it would be much easier to simply use the token I have access to already, if there was just a way to validate it. In Teams, as an example, the SSO user experience is nicely integrated, but I'd need to put the user through ANOTHER signin, potentially even for the SAME Azure AD Application. [Update: so technically it's not another 'sign-in' - the user is signed in already, hence 'SSO', but they need to consent again, in this case against the very same app they consented to a moment before].
So, my question is, is there any way to safely verify the existing token?
回答1:
An AAD token for the Graph is not meant for your app/services and you should not be attempting to validate or even decode it. In some cases, the token could be encrypted thus preventing you from even cracking it open. The only thing you can safely do with a Graph token is call a Graph API with it (as long as the token has the necessary scopes). If the token doesn't have the necessary scopes then you will get an error back from the Graph.
Can you help me understand your scenario better? How are you generating this Graph token? In general, when you use Tab SSO the token generated by Teams is not for the Graph; it's for your Web API that you registered with AAD and listed in your app manifest's webApplicationInfo section. To call downstream Graph APIs you would need to exchange this token via AAD's OBO flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
If your app doesn't have the necessary consent then this exchange will fail which you can use as a signal to trigger a popup authentication flow and get the user's consent. This is documented here: https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
回答2:
To validate the access tokens, you need to validate the signature, claims, issuer, the audience, and the signing tokens, these need to be validated against the values in the OpenID discovery document.
Reference - https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
Sample for C# - How to validate Azure AD security token?
来源:https://stackoverflow.com/questions/64946041/validating-a-microsoft-graph-jwt-token