0

This is a duplicate of how to validate token using outlook rest api, but that received no answers so I'm asking again.

I have managed to authorise a user and receive an access token. I will use the sandbox as an example.

I have decoded the access token and got the following:

Header

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "MnC_VZcATfM5pOYiJHMba9goEKY",
  "kid": "MnC_VZcATfM5pOYiJHMba9goEKY"
}

Payload

{
  "aud": "https://outlook.office.com",
  "iss": "https://sts.windows.net/c512ffd1-581d-4dc0-a672-faee32f6387c/",
  "iat": 1458918504,
  "nbf": 1458918504,
  "exp": 1458922404,
  "acr": "1",
  "amr": [
    "pwd"
  ],
  "appid": "32613fc5-e7ac-4894-ac94-fbc39c9f3e4a",
  "appidacr": "1",
  "family_name": "Dehenne",
  "given_name": "Denis",
  "ipaddr": "137.117.9.62",
  "name": "Denis Dehenne",
  "oid": "28328486-e820-4c98-a1cf-e8b35456313a",
  "puid": "10033FFF89319A48",
  "scp": "Calendars.Read Contacts.Read Mail.Read",
  "sub": "XfYUvqiIreYX9wF-909Yf7Hodiwg6ClTwWOc75WmX7o",
  "tid": "c512ffd1-581d-4dc0-a672-faee32f6387c",
  "unique_name": "DenisD@oauthplay.onmicrosoft.com",
  "upn": "DenisD@oauthplay.onmicrosoft.com",
  "ver": "1.0"
}

Signature

gtpjf40FxEN8cTX22Mk-Da1n_sKtIUGAmzyYkuhkCskR5y1j4uuenf4ejJxeRwtqIIRWN5w1zOfvFZ2XqXreeSpSCZU-CJCoHIicchChUbyq4iIEcWZr29LbnpDkCyqB8LzoA3rEHUxhZYwHnWIHmkrD4XbMN4CW31bdNQwP0YgXvIucLe_tv80Eu4jDiZsqfCh91DFIb7bv6mbPXiTYMtV6OEdXeHLh--vFvZRRm--atSkKrZHFPT1no2B0YAC8w0kEYWPHyM-TbGni6WjIc7ZGSuDNmkHJfIKndcoFzlVJubV2ntKJhWrXfee490oj3GJi-lkNkFLfa9_VDIYu0w

Inside the Exchange identity token mentions something about metadata and self-signed X509 certificates, but those tokens include fields that don't exist of the ones I am getting.

The header states that the token is signed with RSA. I want to validate the token and for that I need the public key of the signing certificate. Where would I get the certificate? Do I even need to validate the token?

Community
  • 1
  • 1
James Fenwick
  • 2,190
  • 1
  • 20
  • 30

1 Answers1

1

The token is issued by Microsoft Azure, not by Outlook or the Outlook REST API. I added the azure tag for you. According to the subtopic Validating Tokens:

At this point in time, the only token validation your apps should need to perform is validating id_tokens. In order to validate an id_token, your app should validate both the id_token's signature and the claims in the id_token.

We provide libraries & code samples that show how to easily handle token validation - the below information is simply provided for those who wish to understand the underlying process. There are also several 3rd party open source libraries available for JWT validation - there is at least one option for almost every platform & language out there.

It goes on to give more specifics. Like to get the signing key data:

You can acquire the signing key data necessary to validate the signature by using the OpenID Connect metadata document located at:

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Jason Johnston
  • 17,194
  • 2
  • 20
  • 34