5

I'm using MSAL to get an access token. It works fine and I'm able to log in and retrieve my Active Directory user.

However when I'm having problems using it to access an API and I have noticed that when I inspect the token at https://jwt.io/ it says INVALID SIGNATURE.

Is this a problem? If so how can I fix it?

Ben Gannaway
  • 915
  • 10
  • 23
  • Possible duplicate of [Azure AD B2C - Token validation does not work](https://stackoverflow.com/questions/44330242/azure-ad-b2c-token-validation-does-not-work) – spottedmahn Jun 14 '18 at 16:36

1 Answers1

8

No, it isn't a big concern because JWT.io doesn't have the public key, but you can verify the token signature by:

  1. Copying the public key from the "keys" endpoint in Azure AD B2C.
  2. Converting this public key from the JSON Web Key (JWK) format to the PEM format.
  3. Pasting the public key to the "Verify Signature" field in JWT.io.

The keys endpoint is:

https://login.microsoftonline.com/te/{tenant}/{policy}/discovery/v2.0/keys

The public key can be converted from the JWK format to the PEM format using tools such as the jwt-to-pem package.

spottedmahn
  • 13,373
  • 8
  • 95
  • 158
Chris Padgett
  • 13,408
  • 1
  • 11
  • 25
  • This solved a 1 week block for me. I didn't know that Azure AD B2C creates keys in JWK format. I was completely lost looking for the PEM one. – Mario Codes Aug 27 '21 at 10:51
  • 1
    jwt.ms does the same decoding as .io but also performs validation for AAD and AAD B2C tokens – Garrison Neely Mar 15 '22 at 22:55