Microsoft-authentication-library-for-js: Acquired tokens have invalid signature

Created on 26 Dec 2018  路  9Comments  路  Source: AzureAD/microsoft-authentication-library-for-js

I'm submitting a...


[ ] Regression (a behavior that used to work and stopped working in a new release)
[x?] Bug report  
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Other... Please describe:

Browser:

  • [ ] Chrome version XX
  • [ ] Firefox version XX
  • [ ] IE version XX
  • [ ] Edge version XX
  • [ ] Safari version XX

Library version


Library version: 0.2.3

Current behavior

When I get a token from AAD, it's signature is invalid. I'm not actually sure whether it's an issue from msal or something else. If I get a token issued by adal library v1.0.0 (against the same AAD, same parameters - clientId, authority) the token verifies as valid.

My backend throws:
"Signed JWT rejected: Invalid signature"
(note that the token obtained via adal passes correctly)

To confirm it's not a backend library issue, I used jwt.io - when pasted on the jwt.io the adal's token verifies as true, and msal's as invalid. I'm using Public key found in jwks_uri https://login.microsoftonline.com/common/discovery/keys, with the x5c corresponding to the x5t, I paste the key surrounded with
-----BEGIN CERTIFICATE-----
<<>>
-----END CERTIFICATE-----

I'm aware that msal isn't token issuer, but why is adal passing then? I've scratched my head for days now, but can't find the origin of the error...

Expected behavior

Token obtained should pass validation on signature using the jwks_uri information and the token header specs.

Minimal reproduction of the problem with instructions

  1. Follow instructions here: https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa
  2. Download the visual studio project (https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2/archive/vsquickstart.zip)
  3. Configure the app.js to correct AD attributes, e.g.:
    clientID: "guidcontaining-your-value-here",
    authority: "https://login.microsoftonline.com/mytenantid-as-a-guid",
    graphScopes: ["user.read"],
    graphEndpoint: "https://graph.microsoft.com/v1.0/me"
  1. Run the VS project (or host the index.html however)
  2. After clicking login, take the Bearer token in the request header and paste it on the jwt.io website.
  3. Open https://login.microsoftonline.com/common/discovery/keys, locate the x5t matching the jwt.io decoded header part of token. In the same collection, extract the x5c value, surround it with
    -----BEGIN CERTIFICATE-----
    <<>>
    -----END CERTIFICATE-----
    and paste it in the jwt.io public key section.

The jwt.io shows "Invalid signature".

  1. Repeat the same process using a client that uses adal library (e.g. take this web page https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-active-directory-spring-boot-sample/src/main/resources/static), and simply replace the token and the message changes to show that the signature is valid.
picture veljkoz
👍1

Most helpful comment

Your scopes parameter should be "[CLIENT_ID]/.default" When using MSAL.js and if you are not using graph api:

var requestObj = {
  scopes:["[CLIENT_ID]/.default"]
};

The example here https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa uses graph api and generate a specific token for graph api, change the scopes parameter if you need to generate an access token for other uses.

More information on scopes parameter: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes#scopes-to-request-access-to-all-the-permissions-of-a-v10-application

Greetings

picture jnmronquillo on 22 Jan 2020
👍62

All 9 comments

I used my test app from https://github.com/visualjeff/msal-login-webcomponent. Modified my lib/auth-button.js to console.log out the token in the callback. 

        (errorDesc, token, error, tokenType) => {
      console.log(token);
          if (err) {
            console.log(error);
          }
        },

Started my python server.
Loaded http://localhost:4200 in my Chrome browser.
Clicked the login button and authenticated using AAD.
Took the token from the browser console log ever to jwt.io and pasted it in.
Located the x5c that matched the kid from the header and pasted it in.
jwt.io gave me the message: Signature Verified.

So it works for me.

Your notes are very good. Maybe you picked an extra character or space when transferring copying over to jwt.io or something?

visualjeff picture visualjeff on 31 Dec 2018
👍1

The error is actually thrown by the backend libraries accepting the token - I then just verified the signature on jwt.io, and it's wrong there as well... since it's working for you I have to assume it's something related to configuration - either on AAD or in the lib... as far as I recall, I checked and public keys are the same for common or for tenant, as well between versions of API. I'll have to recheck again.

Thanks for your reply, it's a step forward to know it's a config issue.

veljkoz picture veljkoz on 2 Jan 2019

@veljkoz Please check the jwt from the tokens cached by the library in the browser storage. If this is a config issue on your end, please let us know if this issue can be closed.

navyasric picture navyasric on 4 Jan 2019

At least I can confirm it's not a library issue since the adal also produces invalid signatures for other configurations... I still haven't figured out what's the origin, but in any case this issue is unrelated to msal.
Thanks! Closing...

veljkoz picture veljkoz on 10 Jan 2019

I have the same situation have you found a solution ?

m4ss1m0g picture m4ss1m0g on 19 Jul 2019

Yes - one of the attributes was wrong, like where the guid or URL should be, can't remember exactly. Anyway, it's weird but fixing that fixed the signature...

veljkoz picture veljkoz on 20 Jul 2019
👍1

Hi veljkoz,

I am facing the same issue. Could you please tell me what attribute was wrong.

smudireddy picture smudireddy on 31 Jul 2019

Can you could provide some snippets from your code?

visualjeff picture visualjeff on 3 Aug 2019

Your scopes parameter should be "[CLIENT_ID]/.default" When using MSAL.js and if you are not using graph api:

var requestObj = {
  scopes:["[CLIENT_ID]/.default"]
};

The example here https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa uses graph api and generate a specific token for graph api, change the scopes parameter if you need to generate an access token for other uses.

More information on scopes parameter: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes#scopes-to-request-access-to-all-the-permissions-of-a-v10-application

Greetings

jnmronquillo picture jnmronquillo on 22 Jan 2020
👍62
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AbhaysinghBhosale picture AbhaysinghBhosale  路  3Comments
jviney picture jviney  路  3Comments
jfbloom22 picture jfbloom22  路  3Comments
yakimko picture yakimko  路  3Comments
spottedmahn picture spottedmahn  路  3Comments