Geek Answers Handbook

Validating JWT from Azure Active Directory

I followed the instructions here to get the access token for the web API.

https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

It works for me, but the documentation is fuzzy when it comes to figuring out how to check the token in PHP.

You can use the access token that is returned in the response for authentication to secure resources, such as the web API. Typically, a token is represented by a web API in an HTTP request using the Bearer scheme described in RFC 6750. This specification explains how to use media tokens in HTTP requests to access protected resources.

When the web API receives and validates the token, it gives the available client application access to the web API.

How to check JWT in application? I have a PHP framework that uses the openssl_verify () PHP function with a marker, signal, key and algorithm, but I get an error when I use Azure's private key with the SHA256 algorithm:

openssl_verify(): supplied key param cannot be coerced into a public key

This makes me think that the key that I use in PHP for verification is incorrect. At the moment I am using the private key that I generated for the Active Directory application, which is also the same value that I use for the client_secret parameter when hitting the oauth2 / token URL (any other value does not cause the token generated, so that this is probably correct).

The key is similar to (BUT NOT DIRECTLY):

 cLDQWERTYUI12asdqwezxctlkjpoiAn7yhjeutl8jsP=

When I believe, openssl should have a certificate ... if so, I cannot find where this certificate is located on the Azure portal.

What am I missing here? What key should I use with openssl_verify () to test JWT and where to find it in Azure?

thanks

-

UPDATE:

I found the public keys here: https://login.windows.net/common/discovery/keys

However, I still cannot use the X5C to verify the signature. How do you do this in PHP?

-

UPDATE 2:

I used the conversion to create a .pem file for the public key using the "e" and "n" options. This got the public key.

Now I get OPEN SSL errors when decrypting with it:

 error:0906D06C:PEM routines:PEM_read_bio:no start line
+5
source share
2 answers

The completion of this question as I moved from the original problem. Updated my question with comments showing how I progressed.

A new question has been created for a new specific problem: How to check the JSON token using a public RSA key?

-

Just in case, this helps someone else:

For more information about the decision to get the Microsoft public key in PHP, I did the following:

 $string_microsoftPublicKeyURL = 'https://login.windows.net/common/discovery/keys'; $array_publicKeysWithKIDasArrayKey = loadKeysFromAzure($string_microsoftPublicKeyURL); function loadKeysFromAzure($string_microsoftPublicKeyURL) { $array_keys = array(); $jsonString_microsoftPublicKeys = file_get_contents($string_microsoftPublicKeyURL); $array_microsoftPublicKeys = json_decode($jsonString_microsoftPublicKeys, true); foreach($array_microsoftPublicKeys['keys'] as $array_publicKey) { $string_certText = "-----BEGIN CERTIFICATE-----\r\n".chunk_split($array_publicKey['x5c'][0],64)."-----END CERTIFICATE-----\r\n"; $array_keys[$array_publicKey['kid']] = getPublicKeyFromX5C($string_certText); } return $array_keys; } function getPublicKeyFromX5C($string_certText) { $object_cert = openssl_x509_read($string_certText); $object_pubkey = openssl_pkey_get_public($object_cert); $array_publicKey = openssl_pkey_get_details($object_pubkey); return $array_publicKey['key']; }

Itโ€™s best to cache them on disk so that you donโ€™t download them every time, but this is just a simple example of how to do this.

Then, using an array of public keys, check the JWT header for "kid" to find the correct public certificate to verify and use it in parameter 3 in openssl_verify (). I used the JWT class to handle this for me.

Using this public key array created above and the JWT class should allow you to validate Microsoft JWT.

Link to JWT class from firebase: https://github.com/firebase/php-jwt

JWT call :: Decoding with parameter 1 of your JWT, parameter 2 of this public key array and parameter three arrays of only "RS256".

 JWT::decode($string_JSONWebToken, $array_publicKeysWithKIDasArrayKey, array('RS256'));

This will throw an exception if the JWT is invalid or returns the decrypted JWT for use (and claim verification).

+8
source

If you want to verify jwt, go to jwt.io This will let you insert JWT, and then it will check the title, claims, and if you add the public key or private key (depending on how the server verifies the signature), it will also verify the signature JWT.

+1
source

More articles:


All Articles