Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot validate access token, maybe because of the nonce

See original GitHub issue

I’m submitting a…

Documentation issue or request

Library version

latest

Issue

I do the requests to get an access token :

import * as Msal from 'msal';

const MSAL = new Msal.UserAgentApplication({
  auth: {
    clientId: ***,
    authority: ***,
  },
  cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: true
  }
});

await MSAL.loginPopup({})

const tokenResponse = await MSAL.acquireTokenSilent({
  scopes: ['user.read']
});


// Send to my server API => cannot validate the access token

I see that this issue exists on others libs https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609

I have a nonce in my token when I decode it in https://jwt.io/

Two options :

Getting an access token without a nonce (is there a way to do this ? I have been searching the doc for a while with no luck)
Process the token to make the token valid.

Issue Analytics

State:
Created 4 years ago
Comments:20 (1 by maintainers)

Top GitHub Comments

4reactions

funcelotworkcommented, Dec 4, 2019

the funny part, is, that server just returns RS256 in header, but actually to valdate, it needs to be HS256, so if you change manually, and pack hader back to Base64 bit, chainging RS256 to HS265, validation passes

2reactions

cforyckicommented, Jul 11, 2019

@jvandervelden I think I’m in the same boat as @fabien-h because I tried to validate the Access Token. I’m not using the Graph API, I have my own API which serves protected data, and a Javascript SPA which calls the API to shows data to user.

So I was sending the Access Token as a Bearer in the Authorization header. I tried to validate this access token by calling https://login.microsoftonline.com/common/discovery/keys (or the one with my tenant) and extracting the public key. Unfortunately there is a special treatment made on the nonce in header of the access token which makes it not valid with the public key provided.

What I may have misunderstood, is that I should not use the access token for my own API, but the id token instead. If i refer to this doc : https://docs.microsoft.com/en-us/azure/active-directory/develop/single-page-application , it’s stated :

The browser calls the application’s web API back end with the ID token in the authorization header. The Azure AD authentication service issues an ID token that can be used as a bearer token if the resource is the same as the client ID (in this case, this is true as the web API is the app’s own backend).

So in my case should I use the id token ? If so, the docs here https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens is kind of confusing :

ID Tokens should be used to validate that a user is who they claim to be and get additional useful information about them - it shouldn’t be used for authorization in place of an access token.