What I changed from the base branch: A client_credential does not have to have a scp key on the JWT so I am removing that check to allow service-to-service tokens to be validated.
This is a function that can be used to validate an access token received from Azure Active Directory. It is particularly useful when you're using a MSAL library to authenticate users on the frontend and you want to verify Microsoft tokens in the API.
For more information about the required props to validate your token and the library itself, please refer to the API Documentation
yarn add validate-azure-ad-token
npm install validate-azure-ad-token
- Verify if all required props are passed in.
- Decode the token using the jsonwebtoken library.
- Send a request to
https://login.microsoftonline.com/{tenantId}/discovery/keys?appid={applicationId}
to receive all public keys unique to yourapplicationId
andtenantId
. This action is cached after one successful attempt. - Verify all required access token claims:
aud
,tid
,iss
,scp
,appid
,exp
. - If the comparison succeeds, the token is valid.
const validate = require('validate-azure-ad-token').default;
try {
const decodedToken = await validate('YOUR_MICROSOFT_ACCESS_TOKEN', {
tenantId: 'YOUR_TENANT_ID',
audience: 'YOUR_AUDIENCE_ID',
applicationId: 'YOUR_APPLICATION_ID',
scopes: 'YOUR_SCOPES', // for example ["User.Read"]
});
// DO WHATEVER YOU WANT WITH YOUR DECODED TOKEN
} catch (error) {
// ALL ERRORS GONNA SHOW HERE AS A STRING VALUE
}
If you are using a @azure/msal-react or @azure/msal-browser on the frontend site and you want to verify your Microsoft access token on your node server.
This project is licensed under the MIT License - see the LICENSE file for details.