Function to validate access token received from azure active directory. Useful when you're using a msal library to authenticate users on the frontend and you wanna verify Microsoft tokens in the API.
This package is dangerous. Version 2 does not validate the signature of the token. One can easily craft a token manually that gets accepted by this library.
This line produces "Access token validation failure. Invalid audience."
For me, this is clear. The audience id in our jwt tokens is the application id of our custom web api.
Graph API declines jwt tokens that are not issued for Graph API.
Why at all validate against graph api?
I was just looking at the code for validate-token-header.ts and I am confused by what it does. It seems all validate-token-header is doing is getting a public key corresponding to the tokenHeader.kid property. After that it does not really validate the token using the public key. Is that correct?
const isValidPublicKey = data.keys.some((_key) => _key.kid === tokenHeader.kid); if (!isValidPublicKey) { throw new Error('The public key retrieved from the token header is invalid'); }