Betty Blocks Forum Show menu

Back
New topic Add answer
avatar image
1
Azure AD - JWT validation
By Lars Kessels partner, Created , last editted

The Azure AD Single-sign-on implementation allows BB to retrieve a JWT token on a POST endpoint to check and authenticate a user login session. Azure AD uses public/private key pair for signing and validating a JWT.

Some questions based on this JWT token setup;

  1. How can we extract the "header" from this JWT token?
    - The "decode_jwt" doesn't provide this at the moment
  2. It seems the "decode_jwt" accepts all secrets and always gives back the payload of the token as a response. This seems a bug, correct?
    - How can we use and validate this in the right way? 
  3. How can we validate the provided token with the public key (Azure will not share the private key)
    - The JWT token is signed with a public/private key pair. RS256 (RSASSA + SHA256) is an algorithm that uses public/private key pair. With the public key, a consumer can verify the signature and therefore the authenticity of the JWT

The Azure AD Single-sign-on implementation allows BB to retrieve a JWT token on a POST endpoint to check and authenticate a user login session. Azure AD uses public/private key pair for signing and validating a JWT.

Some questions based on this JWT token setup;

  1. How can we extract the "header" from this JWT token?
    - The "decode_jwt" doesn't provide this at the moment
  2. It seems the "decode_jwt" accepts all secrets and always gives back the payload of the token as a response. This seems a bug, correct?
    - How can we use and validate this in the right way? 
  3. How can we validate the provided token with the public key (Azure will not share the private key)
    - The JWT token is signed with a public/private key pair. RS256 (RSASSA + SHA256) is an algorithm that uses public/private key pair. With the public key, a consumer can verify the signature and therefore the authenticity of the JWT
  • Avatar image
    Not sure if i can help, but here are my 2 cents: 1.In my case the JWT and the header were the same. What i did was, i extracted the jwt via customized request variable and compared the jwt with the jwt i generated based on the payload. 2. Isn't that what it supposed to do if the JWT is valid? 3. You know the website jwt.io? There you can generate a JWT based based on RS256 . Perhaps you can use this in some way...
    By Gerhard,
  • Avatar image
    Hi Gerhard, Thanks for your reply! 1. I don't know what you mean with the JWT and header are the same. A JWT token exists of three parts; header, payload and signature. So the header can never be the same as the JWT. 2. How can we validate a JWT token, if the secret doesn't bother. This way every user can change the token his way and obtain persistence access to the application. 3. As this JWT token is generated by Microsoft, we are not able o generate this code ourself. To generate this JWT token, you will need a private key. As also mentioned by the website jwt.io. Of course Microsoft will never share this private key. Hope you will have some other ideas?
    By Lars Kessels,
  • Avatar image
    1 I guess our flow differs. I use the token i generated via jwt.io as authorization header. 3 Doesn't microsoft use the same algorhytms as described on jwt.io?
    By Gerhard,
    • Login to reply
Answers
Sort by:

Please login to reply to the topic.