'Validate Azure B2C tokens with symmetric HS256 secrets
I am trying to validate the signature of the tokens that were signed by B2C with a symmetric key using the HS256 algorithm. I have the tokens but I can't figure out what is used as a secret to encrypt/decrypt the signature. These tokens were stored for audit and many are already expired.
In a B2C environment what is used to generate symmetric signed tokens? How do I retrieve such information from the Azure Portal? Any ideas on how I could get this key or use a library such as MSAL to validate the signature of the tokens (note that the tokens might be expired)?
More info:
When I open the jwks_uri URL from the openid-configuration it prints the following information
{
"keys": [
{
"kid": "mykidgoeshere",
"use": "sig",
"kty": "oct"
}
]
}
And the header of the JWT contains
{
"typ": "JWT",
"alg": "HS256",
"kid": "mykidgoeshere"
}
Solution 1:[1]
Are these special tokens or the standard ones?
To validate the standard ones, just use the B2C well-known endpoint to get the public keys. See here.
MSAL will validate the JWT or else look here.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | rbrayb |