microsoft-authentication-library-for-dotnet: Access Token Signature validation fails

Which Version of MSAL are you using ? 2.7.0

Which platform has the issue? .NET 4.6 / Win 10 1809

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive

Repro

var Application = new PublicClientApplication(
                                         ClientId, 
                                         "https://login.microsoftonline.com/organizations/");
var account = await Application.GetAccountsAsync()).FirstOrDefault();
var scopes = new[] { "user.read" };
var result = await Application.AcquireTokenAsync(scopes).ConfigureAwait(false);
var accessToken = result.AccessToken;

1. Provide a ClientId value, put breakpoint to the last line, run the code and sign in to Azure.
2. Grab the accessToken value and put it into the Encoded field at https://jwt.io/
3. Write down the kid value shown in the Decode/header field. Note: The tested tokens used RS256 algorithm.
4. Open https://login.windows.net/common/discovery/keys, find the kid value and grab the appropriate x5c string value.
5. Open a new file (call it cert.cer) and write in it

-----BEGIN CERTIFICATE-----
the grabbed x5c string value
-----END CERTIFICATE-----

1. Run openssl x509 -pubkey -in cert.cer -text -noout command and grab the public key

   -----BEGIN PUBLIC KEY … END PUBLIC KEY-----

2. Paste the public key into the VERIFY SIGNATURE/Public key field on the already opened https://jwt.io/

3. Notice that it show invalid signature bellow the Encoded field.

The token was also tested using PHP openssl extension (via this, this and this library chain) and it also fails signature verification.

Expected behavior The signature verification succeeds and the signature is considered valid.

Actual behavior The signature verification fails that the signature is considered invalid.