0

I have an SPA that is using Azure AD authentication to create ID and Access tokens. My intention is to use Guardian in my Elixir backend to verify that the tokens sent in the Authorization header are legitimate.

Using the VerifyHeader Guardian Plug I am receiving invalid_token errors. I assume this is because of a misconfiguration of the secret_key in the Guardian config. The Access Token decodes correctly on JWT.io

I'm not sure what the secret_key should be though. No secret is passed to the Azure service when I create the token (ie when the user logs in). I attempted to create a key with a Client Secret configured in the App Registration but that did not work.

Given that the tokens are RS256 encoded, should the Guardian secret_key be the public key as provided by Azure?

Abuelo
  • 199
  • 11
  • Remember that JWT's are normally READABLE (i.e. decodable) by any entity, e.g. JWT.io. Security is usually enforced by checking the signature. Yes, I would try using the public key as the "secret" -- there are only so many parts in play, and usually it takes some twiddling to figure out which one goes where or whether or not you need to do some decoding before use (e.g. to convert from base-64 encoding or similar) – Everett Jul 25 '22 at 12:22
  • Guardian is overkill for that. Use [JOSE](https://hexdocs.pm/jose/readme.html#usage), and make a plug that verifies the header. – Adam Millerchip Jul 25 '22 at 22:37

0 Answers0