Signature verification failed

Question

Signature verification failed

chiragkanhasoftdev opened this issue 2 years ago · 10 comments

chiragkanhasoftdev commented 2 years ago

Hey

I have followed this link to generate Frontend and Backend app https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html and from #259

Do i have to use same client_id for Frontend and Backend?

I have below configuration in my backend.

But when i call API for validate auth_token from Frontend, i am receiving below error.

I have also tried web and SPA within same app

Upvote & Fund

We're using Polar.sh so you can upvote and help fund this issue.
We receive the funding once the issue is completed & confirmed by you.
Thank you in advance for helping prioritize & fund our backlog.

Answer 1 · 2022-10-15T06:39:39.000Z

Signature varification not failed if i send id_token, but when i see token in https://jwt.ms/ then found that access_token has two extra keys nonce and x5t. Do this keys cause issue?

I set jwt decode option and its decoding as per below screenshot. Here aud, iss are not match, and i think thats the issue. if i change access_token to id_token then i didn't able to extract given_name , family_name and upn

Answer 2 · 2022-10-15T08:02:03.000Z

You must use the access token.

Seems like your token is for graph (the audience is for graph), so that won’t work.

Answer 3 · 2022-10-15T08:03:06.000Z

Which token you get will often be correlated to the scope you’re using. Ensure the scope is correct.

Answer 4 · 2022-10-15T08:22:29.000Z

Here is the scope that i have in my Reactjs app

export const loginRequest = {
    scopes: ["User.Read"]
};

Here is the scope which defined in my app

Answer 5 · 2022-10-15T08:24:41.000Z

exactly which permission i have to use in order to resolve this issue? My requirement is simple, sign in and read user profile data

Answer 6 · 2022-10-15T08:33:20.000Z

You need to also have the scope for your backend app. It’ll be something like:

export const loginRequest = {
    scopes: [api://<clientid>/.default, "User.Read"]
};

Maybe my FastAPI documentation (which is more recent and 100% Azure focused) will clear things up: https://intility.github.io/fastapi-azure-auth/single-tenant/azure_setup

Answer 7 · 2022-10-15T08:35:39.000Z

In that app we create a custom scope (which you can do to, or use the default one), and then we ensure the SPA requests a token for that scope: https://intility.github.io/fastapi-azure-auth/single-tenant/fastapi_configuration#implementing-fastapi-azure-auth

It's important to note that you'll most likely not need the User.Read etc, if you want to fetch additional data from Graph that can be done through the OBO flow.

Answer 8 · 2022-10-15T10:00:05.000Z

Thanks @JonasKs , issue resolved. Thanks for your help.

Answer 9 · 2022-10-15T11:38:51.000Z

Good to hear that! You’re welcome 😊

Answer 10 · 2023-04-14T22:42:24.000Z

I have the exact same issue. @chiragkanhasoftdev could you please let me know the steps you took to solve this?