Azure-docs: Public key does not exist in jwk_uris for the AD B2C user flow

@mliudev Thanks for your feedback! We will investigate and update as appropriate.

Hey @mliudev, what do you mean by, the "Response you receive does not contain the public key information"? If the KID's match then it should be correct. You can follow this guide on how to easily check if the JWT Token has been properly signed : https://blogs.aaddevsup.xyz/2019/03/using-jwt-io-to-verify-the-signature-of-a-jwt-token/

Hey @mliudev I'm following up on this, can you please respond in regards to this issue? If there's no response by end of day, I'll be closing this issue out, if you have anymore questions please reopen the git issue

Hi Frank,

The kids match however as I've shown in the response there is no 'x5c' key in the response dictionary. I can't verify the signature because there is no public key in the response.

@mliudev I see, please see the stack post here : https://stackoverflow.com/questions/44664510/difference-between-azure-ad-and-azure-ad-b2c-tokens

Per the post : "it is same to verify the tokens from Azure AD B2C and normal Azure AD. We can generate the public key using the exponent(e) and modulus(n). But the keys endpoint is different, we need to using the link like below to retrieve the keys for the Azure AD B2C:"

I do believe we should include this in the documentation however as it is not clear how to properly validate the id token. Thank you for your feedback, and we'll go ahead and make those changes.

Please let us know if you have anymore questions within the scope of the thread,

Hey @mliudev as this issue has been addressed I will be closing out this git issue now. If there's anymore issues please reopen the issue and we can continue discussing it.

Thanks again for letting us know about this issue!

Thanks, I didn't know that you could generate the public key from the exponent and modulus. I agree this would be useful information in this documentation.

@FrankHu-MSFT I'd like to say that putting the burden of having to generate the public key on the developer is quite frustrating. Most libraries expect you to already have a public key. I don't see any reason why a developer needs to understand how to generate a public key at this low of a level, especially since the format of the exponent and modulus isn't provided in this documentation.

In my case I had to convert both the exponent and modulus to integers which required several type conversions in Python. For example the modulus had to be encoded as bytes in hex format and then converted to an integer from that hex format. The exponent had to be base64 decoded into bytes and then converted to an integer. No where in the documentation does it say what format the exponent or modulus are in nor are there links pointing to the RSA spec which explains this. Not that I would expect a developer to have to understand that spec in the first place.

@mliudev you're absolutely right, and we're looking into this issue and will get back to you. We appreciate the feedback, and hope to provide a more friendly developer experience. I'll let the product group team know about this.

I also suggest filing this in uservoice here : https://feedback.azure.com/forums/169401-azure-active-directory