3.0.7 • Published 11 months ago
@tmaguire/azure-ad-verify-token v3.0.7
Azure AD/Entra ID Verify Token
Verify JWTs issued by Azure Active Directory (Azure B2C), Entra ID (organisational accounts and B2B workflows), and Microsoft Account (MSA). This is collectively referred to as the Microsoft Identity Platform which forms part of Microsoft Entra.
This fork is maintained by @tmaguire - this module was originally created by @justinlettau.
Table of Contents
Features
- 🎉 Verify JWTs issued by the Microsoft Identity Platform (including Azure AD B2C).
- 🚀 Automatically use the rotated public keys from Entra ID.
- 💪 Written in TypeScript.
- ♻️ Configurable cache for public keys.
Installation
npm install @tmaguire/azure-ad-verify-token --saveUsage
Verify
import { verify, VerifyOptions } from '@tmaguire/azure-ad-verify-token';
// Azure B2C example
const options: VerifyOptions = {
jwksUri:
'https://contoso.b2clogin.com/contoso.onmicrosoft.com/b2c_1_signupsignin1/discovery/v2.0/keys',
issuer: 'https://contoso.b2clogin.com/contoso.onmicrosoft.com/v2.0/',
audience: '99d1275c-e805-483f-b832-600f8130829c',
};
// Entra ID example
// const options: VerifyOptions = {
// jwksUri:
// 'https://login.microsoftonline.com/contoso.onmicrosoft.com/discovery/v2.0/keys',
// issuer:
// 'https://sts.windows.net/contoso.onmicrosoft.com/',
// audience: 'api://99d1275c-e805-483f-b832-600f8130829c',
// };
verify(token, options)
.then((decoded) => {
// verified and decoded token
console.log(decoded);
})
.catch((error) => {
// invalid token
console.error(error);
});Verify options
| Property | Type | Description |
|---|---|---|
jwksUri | string | jwk_uri value obtained from metadata endpoint. |
issuer | string | issuer value obtained from metadata endpoint. |
audience | string | Application ID of the application accessing the tenant. |
Example metadata endpoints
Common endpoints
- https://login.microsoftonline.com/common/.well-known/openid-configuration
- https://login.microsoftonline.com/common/discovery/keys
Organisational endpoints
- https://login.microsoftonline.com/
{tenantId}/.well-known/openid-configuration - https://login.microsoftonline.com/
{tenantId}/discovery/v2.0/keys
Replace
{tenantId}with either your Tenant ID (GUID from Entra ID Portal) or one of your verified domains.
Azure B2C endpoints
- https://
{tenantName}.b2clogin.com/{tenantId}/{policyName}/v2.0/.well-known/openid-configuration - https://
{tenantName}.b2clogin.com/{tenantId}/{policyName}/discovery/v2.0/keys
Replace
{tenantId}with either your Tenant ID (GUID from Entra ID Portal) or one of your verified domains, replace{tenantName}with your B2C tenant endpoint name, and replace{policyName}with the relevant policy that has issued the token you want to verify.
Configuration
import { setConfig } from '@tmaguire/azure-ad-verify-token';
setConfig({
cacheLifetime: 12 * (60 * 60 * 1000), // 12 hours
});Configuration options
| Property | Type | Description | Default |
|---|---|---|---|
cacheLifetime | number | Number of milliseconds to cache public keys. | 1 hour |
References
- Overview of tokens in Azure Active Directory B2C
- Microsoft identity platform access tokens
- RSA Key Converter
Development
npm install
npm run build