Today I found out – Azure AD ID Token signed by “unknown KID”

Quick post today. Of course, when implementing Azure AD authentication, you should use the Microsoft Authentication Library. Some times, however, you have platform limitations that limits you to implement OpenID Connect “from scratch”. So one of my customers did, but we found the ID Token to be signed by a key with key identifier (kid) that we could not find in the jwks urls found in the OpenID Connect metadata. However, I found it eventually and here is how.

When creating an application, such as when following this blogpost about roles in the ID Token and then running the below PowerShell, the ID Token posted to localhost is signed, and the key identifier “kid” is provided:

$clientid = "dd54e8b7-8c69-435a-a460-e7041f98ee30"
$tenant = "e88da32e-db23-4b1e-af95-f808ac863371"
$redirectUrl = "https://localhost:4000/"
 
# Simply run the following
Read-host "Click enter to put the authorize url on your clipboard" -Verbose
$authorizeUrl = "https://login.microsoftonline.com/$tenant/oauth2/authorize?client_id=$clientid&response_type=code+id_token&redirect_uri=$redirectUrl&response_mode=form_post&nonce=asdokasokdojfoejf"
$authorizeUrl | Set-Clipboard
Write-Verbose "Url copied, please open a browser and paste the url and sign in" -Verbose

What i thought was that this KID is found in jwks url from the OpenID Connect metadata document of the tenant – https://login.microsoftonline.com/e88da32e-db23-4b1e-af95-f808ac863371/.well-known/openid-configuration. However, you will find that the jwks_url of the tenant is actually the same as the common endpoint – https://login.microsoftonline.com/common/discovery/keys. And of course, if all tenants in the world would share the same keys, that would not be good for security.

Where i was wrong was that the metadata document of the tenant is not where to look for the jwks uri, actually, you should look in add a parameter appid to get https://login.microsoftonline.com/e88da32e-db23-4b1e-af95-f808ac863371/.well-known/openid-configuration?appid=dd54e8b7-8c69-435a-a460-e7041f98ee30. Checking out this metadata actually shows you that the jwks url you need is https://login.microsoftonline.com/e88da32e-db23-4b1e-af95-f808ac863371/discovery/keys?appid=dd54e8b7-8c69-435a-a460-e7041f98ee30 , where the first guid is the tenant ID, while the second guid is the application id / client id of the application.

Hope this helps someone 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s