I'm following this guide and using the jwt.io chrome addin but I can't find my key so that I can manually verify the signature.
JWT Header
{
"typ": "JWT",
"alg": "RS256",
"kid": "c9HOlAkfaBs4YSKZ7RoMnZlKrVzdkXHB2QoLv1fETQ8"
}
The OpenID Connect metadata document leads me to https://login.microsoftonline.com/common/discovery/v2.0/keys but that response not have this kid.
I've also referenced this blog post.
The URL to retrieve your Azure AD B2C tenant's keys has the following format:
https://login.microsoftonline.com/te/<tenantName>.onmicrosoft.com/b2c_1_<policyName>/discovery/v2.0/keys
For example:
https://login.microsoftonline.com/te/fabrikamb2c.onmicrosoft.com/b2c_1_edit_profile/discovery/v2.0/keys
Note that both the keys and URLs are different from those for regular Azure AD and Azure AD's v2.0 endpoint (the latter being the URL you referenced in your question).
At this time, the keys for all built-in policies (even across tenants) use the same keys, however in the case of custom policies you'll see different keys per tenant and even in some cases, per policy.
Important note: You won't be able to use jwt.io out of the box to validate Azure AD B2C tokens given that the keys in Azure AD B2C are in a different format.
See Azure AD B2C - Token validation does not work
This answer is quite old and the URL as at October 2021 is now:
https://<tenantName>.b2clogin.com/<tenantName>.onmicrosoft.com/b2c_1_<policyName>/discovery/v2.0/keys
Related
I'm using a custom policy in Azure ADB2C to authenticate and authorize users to my API backend. This works fine.
Now I want to add an additional "aud" entry to the Azure ADB2C jwt token such that I can use the same token for a different service which expects this aud entry to be present.
Right now Azure ADB2C fills in the "aud" field with the ApplicationID for which it was created.
Is there a way to add a static entry to the "aud" field in Azure ADB2C?
Based on your description, I think you are expecting to use the same token to access multiple services (please correct me if my understanding is wrong). Unfortunately, you cannot do this.
A token can only correspond to one scope. The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens. If you need to access other services, you should obtain a token for each service separately.
Update:
You can put multiple apis of the same type in the scope because they are still of the same type in essence. But it is not acceptable to request the same access token for two different types of APIs.
test1:
test2:
My project is a MVC Core 3.1 web application.
The autentication is based on the Microsoft.identity.web template to sign-in users in Azure AD B2C.
You can find the samples here: https://github.com/AzureAD/microsoft-identity-web/wiki#samples
Users can register/login as standard users on B2C or login with the corporate account (azure AD, so an openID Connect Identity Provider).
When Users signs in with the corporate account, I get a JWT token with a claim named "idp_access_token" which contains the access_token from Azure AD. It contains some claims I need for the application (for some reasons I can't even see the emailAddress/unique_name in the B2C token so I need to get it from here...).
But I'm not sure how (and where) I'm supposed to deal with this token and how to access the claims inside it. Can I map them in the claimPrincipal? Because I would like to use the email as the "User.identity.name".
Should I write a service (transient?) and Inject it where I need it?
Sounds like you are using a feature you don’t actually need. Usually the embedded IdP access token is used to call the services that the IdP hosts. For example, a user logs in with Facebook and your app wants to call the Facebook API to post to their Facebook wall.
You as the app developer should not inspect or use the token for your own self, as you cannot trust it. If you want data from that token, then perform the relevant claims mappings in your B2C policy/user flow, as B2C does validate the token and can trust it. You cannot. Services provided by the IdP will verify it, so also can trust it.
TL;DR: Is it possible to hit the Azure B2C auth server and have it return to a URL on the app (so a full round-trip) a JWT with altered claims? IE not part of signing in - that has already happened and we are using a JWT already.
I have successfully set up Azure B2C to use a custom policy that hits a REST API to get extra claims information.
However, I have a certain situation where I want the user to specify a "mode" and have their JWT altered by Azure B2C to set the current mode as a claim.
Basically, the REST API will return something like:
{
"available_modes":"1,2,3"
}
And then I want the user to be able to change this so that they can select a mode, eg "2". Is there a way to hit the auth server and have it hit say https://myapi.com?mode=2, passing through the username claim to that API endpoint. Then, the auth server would return the JWT that ultimately has been altered to set something like "current_mode" claim value to "2".
This is a somewhat contrived example but I hope it makes sense, would it be possible by a custom claim to have it go off to the auth server and back in one round trip, returning with a new JWT?
I have an Azure AD Tenant that is federated with ADFS.
ADFS has an attribute called "employeeNumber".
When a user authenticates against AAD for accessing our custom Web API, i would like the jwt provided by AAD to contain the claim "employeeNumber".
Once the user is authenticated against the custom Web API, the code must check the presence of this claim and its related value.
I've found some tutorials for doing something like this but they refers to SaaS applications.
Attribute sync tutorial
Custom applications registered in AAD don't have the option "provisioning" that the above link refers to.
Thank you.
Are you using AAD Connect?
That needs to be configured to pass the attribute.
Then you need to tell Azure AD to pass the attribute by modifying the manifest.
Documentation is quite vague and everything related to this subject mostly points towards AAD.
The requirement I have is to be able to show a video only to users who have a specific permission. This can be as simple as having a claim in their JWT. Using AAD isn't an option so I was wondering if there is any other way I can achieve this.
The way I could imagine this work is that you can specify a claim that you want Azure Media Services to check that the incoming JWT has and then specify the token's AES key or provide a certificate if you choose to go with RS token encryption.
It is NOT required to use any specific token provider (such as Azure AD). You can definitely create your own JWT provider (so-called STS, Secure Token Service), using asymmetric key encryption. In your STS, you can add custom claims as desired based on your business logic.
Make sure the issuer, audience and claims all match up exactly between what is in JWT and the ContentKeyPolicyRestriction used in ContentKeyPolicy in Azure Media Services.