Validating Access Token with Azure AD B2C

Question

Validating Access Token with Azure AD B2C

qchuchu opened this issue 3 years ago · 0 comments

Hi there,

I'm currently protecting our application using Azure AD B2C. I was first intrigued by your validateAccessToken feature on the Azure.php provider.

However, by deep-diving into the code, I looked that the token validation is very specific to Azure AD and not to Azure AD B2C, because :

The Open Id address have a different structure, more like this :

https://%AZURE_AD_B2C_TENANT_ID%.b2clogin.com/%AZURE_AD_B2C_TENANT_ID%.onmicrosoft.com/%AZURE_AD_B2C_POLICY_ID%/.well-known/openid-configuration

The keys retrieved doesn't have the x5c attribute that contains the base64 encoded key. You can only retrieve the modulus and exponent and hence you need to build yourself your public key. I did it using the phpseclib and their RSA module (using v2.0.32 though)

    private function generatePublicKeyFromModulusAndExponent(string $modulus, string $exponent): string
    {
        $rsa = new RSA();
        $rsa->loadKey(['n' => new BigInteger($this->base64_url_decode($modulus), 256), 'e' => new BigInteger($this->base64_url_decode($exponent), 256)]);

        return $rsa->getPublicKey();
    }

    private function base64_url_decode(string $data): string
    {
        $base64data = strtr($data, '-_', '+/');

        return base64_decode($base64data);
    }

Hence, I created my proper authentication module, based on what you did for Azure AD validation. I was wondering if you would be interested on my contribution for validating azure ad b2c access token. Maybe I did it wrong but I had the feeling that it wasn't possible so far with your library :)

Kudos to your work ! It really helped to develop my own module though :)