However, I'm currently using this library to obtain tokens for my own API, by setting the scopes to point to my app registration id. It was is there currently a plan to add token validation to this library? I understand it's not necessary to validate tokens for the graph API. I decoded the token again in jwt.ms and find the aud paramter and used that value as audience to decode the token_claims again. Is there anything that you can help me with? I used Application Id(when we register app in azure active directory) as client_id. I am getting this error : Invalid audience Hi I am using your code to decode client side token given by teams to tab. Microsoft Graph API) and signed with audience-specific key. Update: This method may fail for access tokens, because they might be issued for another audience (e.g. Token_claims = jwt.decode(token, pem_key, audience=client_id) Pem_key = public_key.public_bytes(encoding=, format=) Jwk = token_key_id]Ĭert = x509.load_der_x509_certificate(der_cert, default_backend()) Token_key_id = jwt.get_unverified_header(token) I think including this feature in the library would be great for us users and will mitigate potential vulnerabilities of improper validation by everyone re-implementing reference solutions and making mistakes.įrom import default_backendįrom import serialization I think this makes it a very suitable place to include a def validate_token(self, audience.) -> DecodedToken: somewhere in the class ClientApplication(object): which then can be included into any middleware, but then at least the implementation is right there for the use, and potential security or performance impacting bugs in an area as critical as the validation of the tokens (performed on all requests) is avoided in the multitude of servers using the authorization code flow (or any other implementation that requires the token acquisition and validation to happen in the same application). And yes, this is a client authentication library, but the recommended most secure flow is the authorization code flow, which requires this to be run on the server in order to have control of how you issue tokens to the clients (client secrets). Of course, there are reference solutions out there as mentioned above.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |