{"id":4748,"date":"2019-03-04T04:07:39","date_gmt":"2019-03-04T04:07:39","guid":{"rendered":"http:\/\/blogs.aaddevsup.xyz\/?p=4748"},"modified":"2021-03-25T23:14:24","modified_gmt":"2021-03-25T23:14:24","slug":"using-jwt-io-to-verify-the-signature-of-a-jwt-token","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2019\/03\/using-jwt-io-to-verify-the-signature-of-a-jwt-token\/","title":{"rendered":"Using jwt.io to verify the signature of a JWT token"},"content":{"rendered":"<h1>Introduction<\/h1>\n<p>In an asymmetric algorithm, a JWT token is signed with an Identity Provider&#8217;s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at <a href=\"https:\/\/jwt.io\/\">https:\/\/jwt.io\/<\/a> to verify the signature of an signed Azure AD token (either access or id token).<\/p>\n<p><span style=\"color: #ff0000;\"><strong>Note:<\/strong><\/span><\/p>\n<ul>\n<li>You should only validate the token intended for your own resource.\u00a0 Using the technique below to validate the signature of a Microsoft First Party Apps token (for example token audience is for Microsoft Graph resource) may fail.<\/li>\n<li><a href=\"http:\/\/jwt.io\">http:\/\/jwt.io<\/a> utility is a 3rd party tool.\u00a0 We (Microsoft) have no knowledge of how this site utilizes the token information.<\/li>\n<li>To see the token claim information, we recommend using the Microsoft utility <a href=\"http:\/\/jwt.ms\">http:\/\/jwt.ms<\/a> since the site does not cache token information.<\/li>\n<\/ul>\n<h1>Verifying the token signature<\/h1>\n<ol>\n<li>\n<div>Browse to <a href=\"https:\/\/jwt.io\/\">https:\/\/jwt.io\/<\/a> and paste the JWT token into Encoded text box. The tool should automatically detect the token&#8217;s signature algorithm (RS256) and displays the token into 3 parts: header, payload, and signature. Note the &#8220;kid&#8221; field in the header. This is the key id of the certificate used to sign the token<\/div>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2019\/03\/030419_0349_Usingjwtiot1.png\" alt=\"\" \/><\/p>\n<p>Scrolling down a little you will see the version of the token (v1 token in this case) and it will say &#8220;invalid signature&#8221;. This is expected since at this point we have not provided any certificate info for the tool to verify the token signature.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2019\/03\/030419_0349_Usingjwtiot2.png\" alt=\"\" \/><\/p>\n<\/li>\n<li>\n<div>Find the jwks URL info from Azure AD&#8217;s OIDC well-known endpoint. Depending upon your token version, use the correct well known endpoint (make sure to supply the correct tenant name in the well known URL):<\/div>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v1-protocols-openid-connect-code\">V1 token<\/a>: https:\/\/login.microsoftonline.com\/<span style=\"background-color: yellow;\">{tenant name}<\/span>\/.well-known\/openid-configuration<\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc\">V2 token<\/a>: https:\/\/login.microsoftonline.com\/<span style=\"background-color: yellow;\">{tenant name}<\/span>\/v2.0\/.well-known\/openid-configuration<\/p>\n<p>For my case, I use the V1 OIDC endpoint. You can either paste the URL into a web browser or postman to find the &#8220;jwks_uri&#8221; field from the response:<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2019\/03\/030419_0349_Usingjwtiot3.png\" alt=\"\" \/><\/p>\n<\/li>\n<li>\n<div>From the JWKS URI endpoint, find the key that has a matching kid (key id) as the token. Copy the long text string from the key&#8217;s x5c field. This is the public key section<\/div>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2019\/03\/030419_0349_Usingjwtiot4.png\" alt=\"\" \/><\/p>\n<\/li>\n<li>\n<div>Enclose the x5c string in the BEGIN CERTIFICATE \/ END CERTIFICATE block as followed (see example at the end post)<\/div>\n<p>\u2011\u2011\u2011\u2011\u2011BEGIN CERTIFICATE\u2011\u2011\u2011\u2011\u2011<\/p>\n<p>MIIDBTCCAe2gAwIBAgIQKOfEJNDyDplBSXKYcM6UcjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MTIyMjAwMDAwMFoXDTIwMTIyMjAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8ZT56lunzbgm3a4QxM8BiVbsd4j77bf\/K\/rhxyCmuwv2\/7seYXsDTEvdUoFD2Tq7Km+eLh4\/+yDViqihLRXOGD\/NxYbLP7jv5k\/e3MxDbOM1mkjfRMMPxc9+sav7meue+dJRysF0CdQP6XvlToDZT4PBAou5nkAydOa\/N\/HrtY6ShY8ZEK3URUy4GLUUO08V\/s80cqEUfIqiXOkb54o4dffmH1rQbAiNa9du0hWpFAa2P2SrCshPSjVlC+x+uRMhUTYCvNF32L4UJRsN\/gI39vH4u9cFvgcqStW0wgK88F+84Bdx+j9bvDyqLEjkjf0PfkHPV\/kf2Pt2zqTiIizr8CAwEAAaMhMB8wHQYDVR0OBBYEFC\/\/HOy7pEIKtnpMj4bEMA3oJ39uMA0GCSqGSIb3DQEBCwUAA4IBAQAIYxZXIpwUX8HjSKWUMiyQEn0gRizAyqQhC5wdWOFCBIZPJs8efOkGTsBg\/hA+X1fvN6htcBbJRfFfDlP\/LkLIVNv2zX4clGM20YhY8FQQh9FWs5qchlnP4lSk7UmScxgT3a6FG3OcLToukNoK722Om2yQ1ayWtn9K82hvZl5L3P8zYaG1gbHPGW5VlNXds60jIpcSWLdU2hacYmwz4pPQyvNOW68aK\/Y\/tWrJ3DKrf1feDbmm7O5kpWVYWRpah+i6ePjELNkc2Jr+2DchBQTIh9Fxe8sz+9iOyLh9tubMJ+7RTs\/ksK0sQ1NVScGFxK+o5hFOOMK7y\/F5r467jHez<\/p>\n<p>\u2011\u2011\u2011\u2011\u2011END CERTIFICATE\u2011\u2011\u2011\u2011\u2011<\/p>\n<\/li>\n<li>Now copy entire text above into the 1<sup>st<\/sup> textbox under &#8220;Verify Signature&#8221; section and the Invalid Signature text should change to &#8220;Signature Verified&#8221;<\/li>\n<\/ol>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2019\/03\/030419_0349_Usingjwtiot5.png\" alt=\"\" \/><\/p>\n<h1>\u00a0<\/h1>\n<h1>Conclusion:<\/h1>\n<p>The above steps show a manual way to validate the JWT token&#8217;s signature given the certificate&#8217;s public key.<\/p>\n<h1>References:<\/h1>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v1-protocols-openid-connect-code\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v1-protocols-openid-connect-code<\/a><\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc<\/a><\/p>\n\n\n<p>for clarity:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example public certificate section<\/h3>\n\n\n\n<p>5 dashes followed (no space) by BEGIN CERTIFICATE followed by 5 dashes.  The end section is in the same format<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\n-----BEGIN CERTIFICATE-----\nMIIC8DCCAdigAwIBAgIQUdK9w17K+rNOSRJZP83bIjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xOTA0MTgwMDU5MzNaFw0yMjA0MTgwMDU5MzNaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkGIwWMl5Z6bQDsRZocoylG2Nf91JlBWbGKULJCu8yzoFT5C4JgJ6qoYXjKNIq\/+DI8aWsxMclYHmsTRl8JMWaCH1K4BaApYGPYLBjL8DKXm+ELSp9VyAPzD+FYElGCpU+B3FvWcEQvGFBzajhn17J5zutN6I8rGngIK0ewqpekGV85CEFQ5EFwgx7lkF5PLvgiTBq08b8xNB3f0laSGMH7MYjDmGh\/\/Zb2QT\/6S7ZzB85YnGtlOxaLjKeYcM8hBdVK5lYqvQb7a0GWmUxmlwClwN3XpBBdg274hBG4ynkWLnx\/0Vb5\/RfWa0HCRa4JK28sfI\/VufdR0SJ+WBZWXZwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6IpznhiMSBayXGZaw0o8mPtI9qkXaFF5kDLqZFYN1tVTAukG3Q\/\/PPnwsGLdRHFGOn3OwPNwo7XtmM6iyIunKAjTqtf7zA53umWirJzq85l6NVpqtQf7CABOzY3I6NKEa7wmYPBD6Egh6PqJO9O1ppAqJT4z\/0lYTIEac7KYMdv\/FwpYd0w4Y4gbYtRODO9iQwAXzzM243oM8XSrrqQj3smfNyrZfZS8XWvjQGJy9MTn2Ybvy9IUhVwEWJTyeTKBhnBk9ujNCcEG4kAYL1uWGun+dT2h4vbyNKxMlomryz3actMp90QEefZTZ\/kOxqAthenbou+WF0OfhCH9Zhd04\n-----END CERTIFICATE-----<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In an asymmetric algorithm, a JWT token is signed with an Identity Provider&#8217;s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at https:\/\/jwt.io\/ to verify the signature of an signed Azure AD token (either access or id token). Note: You should only validate the token intended for your own&hellip;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[144],"class_list":["post-4748","post","type-post","status-publish","format-standard","hentry","category-tool","tag-jwt"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/4748"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=4748"}],"version-history":[{"count":17,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/4748\/revisions"}],"predecessor-version":[{"id":8005,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/4748\/revisions\/8005"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=4748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=4748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=4748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}