5

I used MSAL JS for authenticating user & thereafter calling acquireTokenPopup(scopes) for Access Token.

I am getting the access token, but cannot use it as it says Invalid Signature. (checked in jwt.io too - same error)

Over the forum I found it is due to Graph adding nonce. What will be the solution? Please help.

Following is the code.

tenantConfig = {
    scopes: ["directory.read.all"]
};

this.clientApplication.acquireTokenSilent(this.tenantConfig.scopes).then( function (accessToken) {

            },
            function (error) {
                console.log(error);
                this.clientApplication
                    .acquireTokenPopup(this.tenantConfig.scopes)
                    .then(
                        function (accessToken) {

                            console.log("access token   " + accessToken);
                        },
                        function (error) {
                            alert(error);
                        }
                    );
            }
        );
Paul
  • 69
  • 1
  • 7

2 Answers2

7

Your scopes parameter should be "[CLIENT_ID]/.default" When using MSAL.js and if you are not using graph api:

var requestObj = {
  scopes:["[CLIENT_ID]/.default"]
};

If you intent to use the graph api the scopes parameter is different:

var ResourceId = "https://graph.windows.net/";
var scopes = [ ResourceId + "Directory.Read", ResourceID + "Directory.Write"];

The example here https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa uses graph api and generate a specific token for graph api, change the scopes parameter if you need to generate an access token for other uses.

More information on scopes parameter: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes#scopes-to-request-access-to-all-the-permissions-of-a-v10-application

Juan Rojas
  • 8,711
  • 1
  • 22
  • 30
  • This was not clear from any of the documentation. Once I switched out the scope to this, the token signature was accepted as valid. Don't know exactly why, but thank you! – Sean Halls Jun 02 '21 at 14:11
1

This doesn't matter. Just change the algorithm to HS256 in jwt.io, then the signature will be verified.

enter image description here

The access token should be ok. Just make sure you have added Diretory.Read.All permission on Azure portal and granted admin consent.

enter image description here'

Reference:

Call Graph API from a JavaScript Single Page Application using msal.js

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • 1
    But when decoding the token with jwt.io or jwt.ms it says the algorithm is RS256. Is MSAL.js encoding wrong? – Juan Rojas Jan 22 '20 at 20:21
  • 1
    It turns out the token is not wrong, it is just a specific token for graph api only. See my answer below. – Juan Rojas Jan 22 '20 at 21:59
  • This answer gets it to decode correctly in the decoder, but misses the general use-case of validating against Azure's metaidentity service. Juan Rojas' answer corrected my invalid signature issue per the OP's use case. – Sean Halls Jun 16 '21 at 23:57