azure-ad-verify-token
Advanced tools
Verify JWT issued by Azure Active Directory B2C in Python 🐍.
Validation steps this library makes:
1. Accepts an Azure AD B2C JWT.
2. Extracts `kid` from unverified headers.
3. Finds `kid` within Azure JWKS.
4. Obtains RSA key from JWK.
5. Calls `jwt.decode` with nessary parameters, which inturn validates:
- Signature
- Expiration
- Audience
- Issuer
- Key
- Algorithm
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
For commercial use licenses contact us.
pip install azure-ad-verify-token
First you'll need to get your azure_ad_app_id, azure_ad_issuer and azure_ad_jwks_uri. See below steps to obtain these.
For app id. Login to Azure Portal, navigation to Azure AD B2C, Click on the Applications section and your app id should be listed.
For Issuer and JWKS URI:
Under the "User Flows", note down the name of yours, this will be needed shortly.
Next, under Azure AD B2C, within the Applications section.
Click on "Endpoints".
Copy the endpoint with the label "OpenID Connect configuration endpoint (v2)"
It will look something like:
https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
Now replace <policy-name> with the name of your User Flow from earlier
https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/v2.0/.well-known/openid-configuration
Now visit that URL in your web browser.
You should get a JSON response, note down the values for the keys 'issuer' and 'jwks_uri'.
Now you have those values you can proceed to verify a Azure generated JWT Token.
from azure_ad_verify_token import verify_jwt
azure_ad_app_id = 'b74cd13f-8f79-4c98-b748-7789ecb1111d5'
azure_ad_issuer = 'https://exampletenant.b2clogin.com/0867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/'
azure_ad_jwks_uri = 'https://exampletenant.b2clogin.com/exampletenant.onmicrosoft.com/B2C_1_app_sign_in/discovery/v2.0/keys'
payload = verify_jwt(
token='<AZURE_JWT_TO_VERIFY_HERE>',
valid_audiences=[azure_ad_app_id],
issuer=azure_ad_issuer,
jwks_uri=azure_ad_jwks_uri,
verify=True,
)
print(payload)
{'aud': 'b74cd13f-8f79-4c98-b748-7789ecb1111d5',
'auth_time': 1591800638,
'emails': ['bob@example.com'],
'exp': 1591804238,
'family_name': 'Exp Admin',
'given_name': 'Richard',
'iat': 1591800638,
'iss': 'https://exampletenant.b2clogin.com/90867afa-24e7-40e9-9d27-74bb598zzzzc/v2.0/',
'nbf': 1591800638,
'sub': 'e07bbc53-b812-4572-9edc-4b5d4ac88447',
'tfp': 'B2C_1_app_sign_in',
'ver': '1.0'}
If something goes wrong, one of the below exceptions will be raised:
# If the token is found to be invalid.
azure_ad_verify_token.InvalidAuthorizationToken
# Base exception, raised if the checks which call the Azure server recieve an unhappy response.
azure_ad_verify_token.AzureVerifyTokenError
verify_jwt function.verify_jwt function.verify to verify_jwt function.FAQs
Verify JWT issued by Azure Active Directory B2C in Python.
We found that azure-ad-verify-token demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.