Verify JWT issued by Azure Active Directory B2C in Python 🐍.
Validation steps this library makes:
1. Accepts an Azure AD B2C JWT.
2. Extracts `kid` from unverified headers.
3. Finds `kid` within Azure JWKS.
4. Obtains RSA key from JWK.
5. Calls `jwt.decode` with nessary parameters, which inturn validates:
- Signature
- Expiration
- Audience
- Issuer
- Key
- Algorithm
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
For commercial use licenses contact us.
pip install azure-ad-verify-token
First you'll need to get your azure_ad_app_id
, azure_ad_issuer
and azure_ad_jwks_uri
. See below steps to obtain these.
-
For app id. Login to Azure Portal, navigation to Azure AD B2C, Click on the Applications section and your app id should be listed.
-
For Issuer and JWKS URI:
Under the "User Flows", note down the name of yours, this will be needed shortly.
Next, under Azure AD B2C, within the Applications section.
Click on "Endpoints".
Copy the endpoint with the label "OpenID Connect configuration endpoint (v2)"
It will look something like:
https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
Now replace <policy-name>
with the name of your User Flow from earlier
https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/v2.0/.well-known/openid-configuration
Now visit that URL in your web browser.
You should get a JSON response, note down the values for the keys 'issuer' and 'jwks_uri'.
Now you have those values you can proceed to verify a Azure generated JWT Token.
from azure_ad_verify_token import verify_jwt
azure_ad_app_id = 'b74cd13f-8f79-4c98-b748-7789ecb1111d5'
azure_ad_issuer = 'https://exampletenant.b2clogin.com/0867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/'
azure_ad_jwks_uri = 'https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/discovery/v2.0/keys'
payload = verify_jwt(
token='<AZURE_JWT_TO_VERIFY_HERE>',
valid_audiences=[azure_ad_app_id],
issuer=azure_ad_issuer,
jwks_uri=azure_ad_jwks_uri,
verify=True,
)
print(payload)
{'aud': 'b74cd13f-8f79-4c98-b748-7789ecb1111d5',
'auth_time': 1591800638,
'emails': ['bob@example.com'],
'exp': 1591804238,
'family_name': 'Exp Admin',
'given_name': 'Richard',
'iat': 1591800638,
'iss': 'https://exampletenant.b2clogin.com/90867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/',
'nbf': 1591800638,
'sub': 'e07bbc53-b812-4572-9edc-4b5d4ac88447',
'tfp': 'B2C_1_app_sign_in',
'ver': '1.0'}
If something goes wrong, one of the below exceptions will be raised:
# If the token is found to be invalid.
azure_ad_verify_token.InvalidAuthorizationToken
# Base exception, raised if the checks which call the Azure server recieve an unhappy response.
azure_ad_verify_token.AzureVerifyTokenError