Token Validation includes the following 4 steps:
Validate that the signature of the token is correct - Token was issues by Microsoft and the token information is not forget and altered by a third actor.
Validate that the token is not expired - AAD has a default 3600 sec lifetime after that should not be considered valid anymore. Expiration time is found under the exp claim.
Validate that the scope is the correct one.- The token is issued to access that specfic API. Allowed scopes are found under scp claim as a comma separated list.
Validate the issuer- In this Microsoft. The issuer is found under the iss claim.
Validate the audience- In this case is the client id of Postman application. Audience is found under the aud claim.
Only when all these steps are executed and valid than we can claim that the token is valid and can be used.
Lets spend a bit more time into explaining the first step, signature validation as this is the most complex one.
First lets start by explaining what is a signature:
Digital signatures is a way to validate the authenticity and integrity of any data. To create a digital signature, AAD creates a one-way hash(SHA256) of the header+payload to be signed. The AAD private key is then used to sign the hash. This signed hash is base 64 encoded and attached after the header and payload part of the JWT encoded string as shown in the beginning of this post. In order to verify the signature we need the public key from AAD. AAD publishes the public keys in this endpoint: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
How can we find out which key to use?
If we refer back to the header section of the JWT we can see that the header includes some information to identity the key. In this case:
"kid": "piVlloQDSMKxh1m2ygqGSVdgFpA",
"x5t": "piVlloQDSMKxh1m2ygqGSVdgFpA",
In this case the application can grab this key and verify the signature. This verification is a very important step as it ensures the resource server that this token is not manipulated. The token and the information presented in it is not altered(hashing) and is issued by Microsoft AAD(Signed by Microsoft private key which is known only to Microsoft). Otherwise anyone could forge a JWT and send it in behalf of Microsoft to the resource server.
If you want to know more about the Identity Tokens issued by AAD follow to following post:
Comments