example for web api token validation

[ctaggart]

I need to validate the identity using a Flask web API. It is a different flow than the ms-identity-python-webapp example. I think I just need to validate the jwt token and some of its values similar to what is done here with this code. Is this something that can be done with msal or am I better off using code like that?

Client credentials flow

[rayluo]

Hi Cameron, thank you for your valuable question! You clearly did your research. :-)

So, what you want is the token validation. And that is NOT the same as "client credentials flow". For what it's worth, client credentials flow is still about the token acquisition, not token validation.

Regardless, we do not currently have a sample for token validation. I'm marking this as an enhancement item here, and we will take this into consideration when next time we update our plan.

[ctaggart]

They you Ray. Yes, token validation is what I'm looking for.

[gwsampso]

+1 for token example

[dsjijo]

Hi ,

This is not bug , but needs a help on how to do this feature

.
I have a web app (Flask ) A created by following this tutorial. Link
And I have another website B hosted in another host provider and trying to access above api from B.
I added CORS in A but want to impliment an oAuth2 in azure . how to do that?
I am looking a scenario where credentials prompt is not shown . like a deamon app it should be able to get the token.
I am new to all these. Hope you got what am i looking into.

[dsjijo]

any example also would do. Thanks.

[dsjijo]

Hi All
I have found a repository doing the same Link .

The token I was able to get through following this link and restructed my app like the secureFlaskApp.

Thanks for the help.

[eprigorodov]

A sufficient number of JWT validation checks is being performed in the msal.oauth2cli.oidc.decode_id_token(), which is called upon adding tokens into TokenCache: token_cache.py:137. But these checks do not include signature verification, [update: which is not necessary when obtaining tokens directly from the AAD server over SSL, e.g. via .acquire_token_by_authorization_code()].

Also, msal depends on pyjwt library, which contains API method for full JWT validation. The method requires AAD public key, so here is the way to call it [update: for ID tokens]:

1. Load OpenID configuration from https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
2. Use the jwks_uri endpoint to load AAD public keys (currently https://login.microsoftonline.com/common/discovery/v2.0/keys).
3. Take the key that corresponds to "kid" field value of JWT header.
4. Base64-decode the value of key's "x5c" field and decode it as X.509 certificate in DER format. Convert its public key part into PEM format.
5. Call jwt.decode(itoken, public_key, audience=<client_id>), supplying client_id of your application, and catch exceptions that it can raise.

from base64 import b64decode
import jwt
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import requests

jwks_uri = 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
jwkeys = requests.get(jwks_uri).json()['keys']

token_key_id = jwt.get_unverified_header(token)['kid']
jwk = [key for key in jwkeys if key['kid'] == token_key_id][0]
der_cert = b64decode(jwk['x5c'][0])
cert = x509.load_der_x509_certificate(der_cert, default_backend())
public_key = cert.public_key()
pem_key = public_key.public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)
token_claims = jwt.decode(token, pem_key, audience=client_id)

update: This method may fail for access tokens, because they might be issued for another audience (e.g. Microsoft Graph API) and signed with audience-specific key.

[rayluo]

Hi @eprigorodov , thank you for the code review on our existing implementation. We love this community voices. :-)

With regard to the topic you brought up above, it is actually a different topic than the current issue. The current issue is about Access Token validation, the topic you brought up is about ID Token validation. MSAL already performs ID token validation, we just validate it in a different-than-pyjwt way, but still specs-compliant.

Should you have follow-up question on ID token validation, please create ANOTHER issue for its subsequent discussion.

[cheslijones]

Would be great to have functionality to verify access_token sent from the FE. It would seem like this functionality would make sense given the Angular and upcoming React libraries in @azure/msal-browser. Those access_token need to be validated by your API whether it is Express, Django/DRF, etc. somehow and it is not clear how to do this in this library's current state.

[eprigorodov]

@rayluo, thank you for pointing out, indeed I was looking for an issue about ID token validation and misread the actual subject.

@cheslijones, access tokens issued for Microsoft APIs are usually supposed to be opaque for the client and will be validated by the very endpoint service. Clients just send them as-is to the target API and process responses with possible validation errors. msal.TokenCache will take care about expiration and refresh, if used in a recommended way (see point 2. of the usage guide).

[cheslijones]

@eprigorodov It sounds like the library does not support my use case.