jwt - Validating the token recieved from azure ad b2c using the Values from "jwks_uri" endpoint

Question

I am getting the azure ad access token from an Utility Service and I want to validate it using some standard token validation parameters which includes issuer, audience and issuer signing key.Now I have the issuer and audience but I don't have the issuer signing key.

However I have extracted the key information using the jwks_uri end point of azure ad b2c which gives me a json output as

{
  "keys": [
    {
      "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4......",
      "nbf": 1493763266,
      "use": "sig",
      "kty": "RSA",
      "e": "AQAB",
      "n": "tVKUtcx_n9rt5afY_2WFNvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmL...."
    }
  ]
}

I tried using just the n value as the key but I am getting an exception that token validation failed. Now I want to know how do I get the issuer signing key to validate the token. Is n+e (string concatenation ?) a solution? I saw a similar question Azure AD B2C - Token validation does not work but it did not answer my question and hence would like to know the exact way to do it in .net core.

Answer 1

According to my understanding, you want to validate the access token. If so, we can use the sdk System.IdentityModel.Tokens to implement it. For example

 var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                                   "https://testb2ctenant05.b2clogin.com/testB2CTenant05.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_test",
                                    new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever());
            CancellationToken ct = default(CancellationToken);
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
            var discoveryDocument = await configurationManager.GetConfigurationAsync(ct);
            var signingKeys = discoveryDocument.SigningKeys;
            var validationParameters = new TokenValidationParameters
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = discoveryDocument.Issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,

            };

 var principal = new JwtSecurityTokenHandler()
            .ValidateToken(token, validationParameters, out var rawValidatedToken);