microsoft-authentication-library-for-js: Cannot validate access token, maybe because of the nonce

I’m submitting a…

Documentation issue or request

Library version

latest

Issue

I do the requests to get an access token :

import * as Msal from 'msal';

const MSAL = new Msal.UserAgentApplication({
  auth: {
    clientId: ***,
    authority: ***,
  },
  cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: true
  }
});

await MSAL.loginPopup({})

const tokenResponse = await MSAL.acquireTokenSilent({
  scopes: ['user.read']
});


// Send to my server API => cannot validate the access token

I see that this issue exists on others libs https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609

I have a nonce in my token when I decode it in https://jwt.io/

Two options :

Getting an access token without a nonce (is there a way to do this ? I have been searching the doc for a while with no luck)
Process the token to make the token valid.

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 20 (1 by maintainers)

Most upvoted comments

the funny part, is, that server just returns RS256 in header, but actually to valdate, it needs to be HS256, so if you change manually, and pack hader back to Base64 bit, chainging RS256 to HS265, validation passes

default-work on Dec 4, 2019

@jvandervelden I think I’m in the same boat as @fabien-h because I tried to validate the Access Token. I’m not using the Graph API, I have my own API which serves protected data, and a Javascript SPA which calls the API to shows data to user.

So I was sending the Access Token as a Bearer in the Authorization header. I tried to validate this access token by calling https://login.microsoftonline.com/common/discovery/keys (or the one with my tenant) and extracting the public key. Unfortunately there is a special treatment made on the nonce in header of the access token which makes it not valid with the public key provided.

What I may have misunderstood, is that I should not use the access token for my own API, but the id token instead. If i refer to this doc : https://docs.microsoft.com/en-us/azure/active-directory/develop/single-page-application , it’s stated :

The browser calls the application’s web API back end with the ID token in the authorization header. The Azure AD authentication service issues an ID token that can be used as a bearer token if the resource is the same as the client ID (in this case, this is true as the web API is the app’s own backend).

So in my case should I use the id token ? If so, the docs here https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens is kind of confusing :

ID Tokens should be used to validate that a user is who they claim to be and get additional useful information about them - it shouldn’t be used for authorization in place of an access token.

cforycki on Jul 11, 2019

I don’t know you, but for the next 24h, you are my favorite person in the world.

// REACT CODE  
const msalSuccessHandler =(authResponse: Msal.AuthResponse) => {
    console.log("MSAL Success.");
    setError(undefined);
    setAuthResponse(authResponse);
    clientApplication.acquireTokenSilent({ scopes: ['openid', "api://xxxx/access"] })
      .then((result: Msal.AuthResponse) => { console.log("access token with only openid", result); setAccessToken(result.accessToken); })
      .catch((err) => { console.log(err); })
  };

I’ve read too quickly over the article and in case it is yours, you could improve it in giving an example of the call (with openid+api scopes). Needed to reread multiple times to get it right.

Thanks for helping me out!

taschana on Aug 3, 2020