azure jwt azure-active-directory rsa azure-ad-b2c
Updated Fri, 26 Aug 2022 11:31:25 GMT

Validating the token recieved from azure ad b2c using the Values from "jwks_uri" endpoint

I am getting the azure ad access token from an Utility Service and I want to validate it using some standard token validation parameters which includes issuer, audience and issuer signing key.Now I have the issuer and audience but I don't have the issuer signing key.

However I have extracted the key information using the jwks_uri end point of azure ad b2c which gives me a json output as

  "keys": [
      "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4......",
      "nbf": 1493763266,
      "use": "sig",
      "kty": "RSA",
      "e": "AQAB",
      "n": "tVKUtcx_n9rt5afY_2WFNvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmL...."

I tried using just the n value as the key but I am getting an exception that token validation failed. Now I want to know how do I get the issuer signing key to validate the token. Is n+e (string concatenation ?) a solution? I saw a similar question Azure AD B2C - Token validation does not work but it did not answer my question and hence would like to know the exact way to do it in .net core.


According to my understanding, you want to validate the access token. If so, we can use the sdk System.IdentityModel.Tokens to implement it. For example

 var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                                    new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever());
            CancellationToken ct = default(CancellationToken);
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
            var discoveryDocument = await configurationManager.GetConfigurationAsync(ct);
            var signingKeys = discoveryDocument.SigningKeys;
            var validationParameters = new TokenValidationParameters
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                ValidateIssuer = true,
                ValidIssuer = discoveryDocument.Issuer,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = signingKeys,
                ValidateLifetime = true,
 var principal = new JwtSecurityTokenHandler()
            .ValidateToken(token, validationParameters, out var rawValidatedToken);

Comments (2)

  • +1 – Thank you so much !! Exactly what I needed. @jim-xu — Jan 22, 2020 at 04:17  
  • +0 – this is best answer so far for Azure B2C — Dec 23, 2020 at 20:04  

Linked Articles

Local articles referenced by this article: