I'm trying to get refresh token flow working in my application, but I've run into a problem where the token I get back from Azure AD does not validate. There's a more complete write-up on StackOverflow and a gist with a runnable code sample, but in short, the verification code looks like this:
const getKey = (header, callback) => {
client.getSigningKey(header.kid, (err, key) => {
if (err) {
callback(err)
} else {
var signingKey = key.publicKey || key.rsaPublicKey
callback(null, signingKey)
}
})
}
const verifyToken = token => new Promise((resolve, reject) => {
jwt.verify(token, getKey, { maxAge: "1h" }, (err, decoded) => {
if (err) {
console.log('token verification failed:', err.message)
reject(err)
} else {
resolve(decoded)
}
})
})
and when I get a token through the authorization code flow, everything works as expected, but when I refresh the token using the refresh token flow, the new token is deemed to have an invalid signature - even though it's perfectly possible to use the new token for communicating with Azure.
What should I look for here?
I'm trying to get refresh token flow working in my application, but I've run into a problem where the token I get back from Azure AD does not validate. There's a more complete write-up on StackOverflow and a gist with a runnable code sample, but in short, the verification code looks like this:
and when I get a token through the authorization code flow, everything works as expected, but when I refresh the token using the refresh token flow, the new token is deemed to have an invalid signature - even though it's perfectly possible to use the new token for communicating with Azure.
What should I look for here?