microsoft-authentication-library-for-js: Cannot validate access token, maybe because of the nonce
I’m submitting a…
- Documentation issue or request
Library version
latest
Issue
I do the requests to get an access token :
import * as Msal from 'msal';
const MSAL = new Msal.UserAgentApplication({
auth: {
clientId: ***,
authority: ***,
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: true
}
});
await MSAL.loginPopup({})
const tokenResponse = await MSAL.acquireTokenSilent({
scopes: ['user.read']
});
// Send to my server API => cannot validate the access token
I see that this issue exists on others libs https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609
I have a nonce in my token when I decode it in https://jwt.io/
Two options :
- Getting an access token without a nonce (is there a way to do this ? I have been searching the doc for a while with no luck)
- Process the token to make the token valid.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 20 (1 by maintainers)
the funny part, is, that server just returns RS256 in header, but actually to valdate, it needs to be HS256, so if you change manually, and pack hader back to Base64 bit, chainging RS256 to HS265, validation passes
@jvandervelden I think I’m in the same boat as @fabien-h because I tried to validate the Access Token. I’m not using the Graph API, I have my own API which serves protected data, and a Javascript SPA which calls the API to shows data to user.
So I was sending the Access Token as a Bearer in the Authorization header. I tried to validate this access token by calling https://login.microsoftonline.com/common/discovery/keys (or the one with my tenant) and extracting the public key. Unfortunately there is a special treatment made on the nonce in header of the access token which makes it not valid with the public key provided.
What I may have misunderstood, is that I should not use the access token for my own API, but the id token instead. If i refer to this doc : https://docs.microsoft.com/en-us/azure/active-directory/develop/single-page-application , it’s stated :
So in my case should I use the id token ? If so, the docs here https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens is kind of confusing :
I don’t know you, but for the next 24h, you are my favorite person in the world.
I’ve read too quickly over the article and in case it is yours, you could improve it in giving an example of the call (with openid+api scopes). Needed to reread multiple times to get it right.
Thanks for helping me out!