question

HarjaniAshish-7896 avatar image
0 Votes"
HarjaniAshish-7896 asked Reuben-7481 commented

Azure AD B2C - Id_Token Signature issued by Custom Policies in identity experience framework

Hi,

As per the below docs :
https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

A validation of a id__token should be same as validating an access_token. Which means that an id_token should be signed. But , when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature.

Please explain the ambiguity between the docs and actual functionality..

One more reference : https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens ... which says "To validate an id_token or an access_token, your app should validate both the token's signature and the claims"



Thanks!

azure-ad-b2c
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It looks like that I have gotten the same issue:


I have set up a new b2c tenant and using the https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started I have set up the Identity Experience Framework.


Everything woks fine (sign in sign up) but when b2c issues the token the signature is not valid.

I may be mistaken but looks like something is missing in the setting up using the App registrations (Preview) I have another tenant that I have set up with the Legacy App Registration that is working fine. Legacy app registration is not available anymore that should be removed from the documentation.

Please advise.






1 Vote 1 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered HarjaniAshish-7896 commented

@HarjaniAshish-7896 I disagree with you on this statement "when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature."

Below is a snip of the id_token issued by IEF which is signed. If you decode the token at https://jwt.ms, you will find that the green text is the signature and the "alg": "RS256" is the id_token signing algorithm. Which would match with the value of id_token_signing_alg_values_supported parameter in your OIDC metadata located here:
https://login.microsoftonline.com/{your_b2c_tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration

6682-capture.jpg


Please "Accept as answer" wherever the information provided helps you to help others in the community.



capture.jpg (49.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft - Thanks for getting back on this. Can you please take that token generated by IEF and decode it at https://jwt.io/ . You would notice at the end of page :

6683-capture.png

Similarly if you take any access token and decode it at the same website and it would tell that Signature Is valid. Can you please explain this ?

Thanks!


0 Votes 0 ·
capture.png (4.4 KiB)
amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered Reuben-7481 commented

@HarjaniAshish-7896 This is because jwt.io is not able to fetch the public key and and is unable to validate the signature. Please refer to the screenshot below which is captured with a token issued via standard AAD and not IEF. There is a slight difference in how the public key is fetched in case of token issued via IEF, which might be the reason why you don't see public key on jwt.io for token issued via IEF. You can read more about signature validation in B2C here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#validate-signature

7011-capture.jpg


Please Accept as answer wherever the information provided helps you to help others in the community.


capture.jpg (83.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The problem with this article is that it does not detail what you need to do to validate the signature, and instead sends the user in search of an article that describes what you need to do.

Even worse, some jwks_uri payloads for Azure B2C do not have a readily available x5c value, and only have an e and n value. I've read somewhere that a PEM certificate can be reverse engineered from these values.

It would be great if the section describing validation of a signature for Azure B2C followed through with some recommendations on how that is actually done, or recommended at least one article.

0 Votes 0 ·
Sunny987 avatar image
0 Votes"
Sunny987 answered rajankarwal commented

Hi Amanpreet,

I hope you are doing well and safe !!

Can you please help me with Jwt's signature Kid value is not matched error and how I can validate Kid?

I am using jwks_uri for keys? I am not an expert so If you can explain step by step complete chronology to try?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you ever fix this? I have the same issue when trying to use of the policies from a B2C application. (Work fine from an IEF application)

0 Votes 0 ·