Forum Discussion
MS Teams access token signature is invalid
I am trying to validate an access token from ms teams in my backend application.
The validation fails because the siganture of the token is invalid.
This is how I obtain the token:
export class MyWebPart extends BaseClientSideWebPart {
protected async onInit(): Promise<void> {
await super.onInit();
this.context.sdks.microsoftTeams?.teamsJs.authentication.getAuthToken()
.then(token => sendToBackend(token));
}
}When I copy the token into JWT.io it says that the signature of the token is invalid.
I notice that in the token the issuer is: https://sts.windows.net/{{tenant-id}}/
and in the openid-configuration: https://login.microsoftonline.com/9cd5e2a3-9fa3-456d-9c40-159cf74b23db/v2.0
How do I get a proper token?
5 Replies
How do I set up my Teams app registration to use the v2.0 endpoint?
Or is it possible to request the token using the v1 endpoint?
I am using the Teams Toolkit.
This is the token that I get when I call getAuthToken() when I am previewing my Teams App (F5).
Where can I update the configuration to get the proper token?
Prasad_Das-MSFTMicrosoft
You’re currently using Microsoft Teams SDK to retrieve the token, which is correct. Ensure this token is an ID token or access token signed by Microsoft’s identity platform. Use libraries like jsonwebtoken to validate the token in the backend against Microsoft’s public keys.
Understanding the Issuer in the Token
Endpoint Differences:Utilizing https://sts.windows.net/{tenantId}/ often refers to tokens issued by Azure AD's v1.0 endpoint, while https://login.microsoftonline.com/{tenantId}/v2.0 refers to tokens issued by the v2.0 endpoint.
Configuration Matters:
Ensure the proper setup of your Microsoft Teams app registration to use the v2.0 endpoint if you’re planning to verify tokens against login.microsoftonline.com.
Thanks,
Prasad Das
------------------------------------------------------------------------------------------
If the response is helpful, please click "**Mark as Best Response**" and like it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.
I tried to verify using the key set at https://login.windows.net/common/discovery/keys.
This the jwks_url from
https://sts.windows.net/TENANT_ID/.well-known/openid-configuration.
The validation also fails with this key set.
I notice that the signature of the token is marked as not valid in JWT.io.
- Prasad_Das-MSFT
Hi KvDaalen , could you please check the resolutions provided in below two threads and let us know if that helps?
azure - Invalid Signature when generate bearer token - Stack Overflow
Troubleshooting “Invalid Signature” Errors in Signed JWTs with Microsoft Azure AD | by Anuj Pachauri | Medium
