SharePoint Online Client Extensibility Web Application Principal - where can I find the public signature?

[butchmarshall]

Category

• Question
• Typo
• Bug
• Additional article idea

I would like to verify the JWT generated by the aadTokenProviderFactory but cannot figure out where the signature keys is stored.

None of the signatures at https://login.microsoftonline.com/common/discovery/v2.0/keys are valid.

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[andrewconnell]

I have a blog post that explains how this works and how you can validate the tokens:
http://www.andrewconnell.com/blog/validating-azure-ad-generated-oauth-tokens

You have to query AAD for the keys, find the one that was used to generate the digital sig, then use that to decode it.

[butchmarshall]

Hi Andrew,

Yes - I query for the keys @ https://login.microsoftonline.com/common/discovery/v2.0/keys but none of those keys work for the JWT generated by the aadTokenProviderFactory for SharePoint.

Regular AAD tokens I generate from my application work fine with these keys.

[andrewconnell]

@butchmarshall wrong location... you're looking at the v2 AAD auth endpoints... SPO uses v1 as it leverages ADAL.

You should look here as the above-mentioned blog post states: https://login.microsoftonline.com/common/discovery/keys

[butchmarshall]

Hi Andrew,

For me - none of the keys at either of these addresses work for the JWT generated by the "SharePoint Online Client Extensibility Web Application Principal"

https://login.microsoftonline.com/common/discovery/keys
https://login.microsoftonline.com/common/discovery/v2.0/keys

e.g. I pull out the key with the right KID

I go to verify, but is invalid

[andrewconnell]

(1) That app is not generating the access token... AAD is generating the token. The app is just an app...
(2) I just verified it's working in a solution for me using the JWT.IO site tool... so something odd on your side...

[butchmarshall]

Here's a last ditch effort I guess. This is a token generated for one of my tests users - does it validate for you?

eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEQ29NcGpKWHJ4VHE5Vkc5dGUtN0ZYdXh1Tlo4em5LYkNqbzhmeVc1amJkRUxQZjBVNWgxVjlhYllDb294bTVaVXF6MWpSTE90ZHdWRm9idjJ2NUZTdG5FY1RqcE5NeFNHaWRnTkFnYUgwVlNBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiSEJ4bDltQWU2Z3hhdkNrY29PVTJUSHNETmEwIiwia2lkIjoiSEJ4bDltQWU2Z3hhdkNrY29PVTJUSHNETmEwIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85YWM4N2M4Ny03ZjAxLTQyOTctYjczZC04MGZhNDRmOTExODkvIiwiaWF0IjoxNTU3MTYyNTczLCJuYmYiOjE1NTcxNjI1NzMsImV4cCI6MTU1NzE2NjQ3MywiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IjQyWmdZTWkrdlRQbG9hYmFhcWVDRGUzTXFXcHhNMW0reE4zc0RyNnJXZk9BMjFpbmh3Y0EiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6IlNoYXJlUG9pbnQgT25saW5lIENsaWVudCBFeHRlbnNpYmlsaXR5IFdlYiBBcHBsaWNhdGlvbiBQcmluY2lwYWwiLCJhcHBpZCI6ImU1MjYzOTU3LWE1ZDMtNGY0ZC04YzZmLWQ2YjI4NjVkMTk1NSIsImFwcGlkYWNyIjoiMCIsImZhbWlseV9uYW1lIjoiTmV1bWFubiIsImdpdmVuX25hbWUiOiJDaW5keSIsImlwYWRkciI6Ijc2Ljc1Ljk2LjI0MyIsIm5hbWUiOiJDaW5keSBOZXVtYW5uIiwib2lkIjoiZTk0NTBiNzctNTM2NS00MGVkLWFjMWYtZWQxNGEzYWVmZDhkIiwicGxhdGYiOiIxNCIsInB1aWQiOiIxMDAzN0ZGRUEyQTQ2MkVGIiwic2NwIjoicHJvZmlsZSBVc2VyLlJlYWQgVXNlci5SZWFkLkFsbCBVc2VyLlJlYWRCYXNpYy5BbGwiLCJzaWduaW5fc3RhdGUiOlsia21zaSJdLCJzdWIiOiJ2OTV6WFFZSVZMUWlMVVlCRjg1X1NaSk5fazRRNFFnbFdTbkJzaURlUzJVIiwidGlkIjoiOWFjODdjODctN2YwMS00Mjk3LWI3M2QtODBmYTQ0ZjkxMTg5IiwidW5pcXVlX25hbWUiOiJjaW5keUB0ZW1ib3NvY2lhbG8zNjVkZXYub25taWNyb3NvZnQuY29tIiwidXBuIjoiY2luZHlAdGVtYm9zb2NpYWxvMzY1ZGV2Lm9ubWljcm9zb2Z0LmNvbSIsInV0aSI6InZIdE5pZ2JUTUVDUGJ3bkk3RVZiQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfdGNkdCI6MTQ5ODE1NDk1Nn0.kOeB3fcpAqRCaSSGNkHBZnowElPvCWSsrChGQa_VQ5OrpNscr3KxUn4Swfyi9wDzN2qSz3zEg-Sj1-b0tpPOtXTRH84wwuFJPAFyCKLa3eUOYLxhh7JFs700w5rxjVgjnY5xe3XtyUO2X7IEFtFxis-ltweaf8S4ZE8UK3mh5_vvsyq2OD_qdbZk0Pqr-aR_Dm-8znkNxUrlCQaVQP-RHQqb9owpdPv8AGwOYLjl-xRR0Ing2vyfrGTIehW4Z3GUvgOQrpH3uYhOHIJC6ebwptNrety_x3V_k1kMAQhyBJw_-rmZf5RHqwfhBMOKZS7GDH_6MUOD7njaje3-xNiSxw

[andrewconnell]

Odd... doesn't validate for me...

[butchmarshall]

All of my tenants are the same (i've tried this on 4 separate tenants) using the aadTokenProvider with an SPFX webpart.

https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient is the code I'm using to get the token.

The token does work for Microsoft Graph requests, so must be validated internally somewhere?