Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,663 questions
Need a bit of guidance on implementing Entra authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 66%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EX%3C/text%3E%3C/svg%3E)
xdf1038
0
Reputation points
I am lost in tons of documentation and can't figure out how to properly implement authentication with Entra on the backend.
We are developing a new internal web application that has a NextJS frontend running in an Azure App Service Docker Instance with a NestJS backend also running in App Services with Docker
The backend is getting content from Microsoft Graph API in the background, processes it and stores it in an Azure Cosmos DB. This part is already working using notification subscriptions on the processed data with MS Graph.
The colleagues implemented the frontend MS Entra auth with Next-Auth - that part is also working. Now I don't now how to obtain the token and how to validate it in my backend so that only users with a certain active directory role are permitted to fetch data from the NestJS API app's database
The NestJS middleware part is clear to me. But how do I verify the Entra access token? It doesn't seem to be a JWT - what is set in the cookie is a string of the form ey[...] that has 4 dots (JWTs usually have 3)
From what I googled so far, this is called an opaque access token.
How do I
- validate and verify it
- use it to authenticate the user at my API (what code do I need to implement before I can return true in my NestJS Guard) - I guess I need to send the token to some Microsoft API to verify it?
- what do I need to keep in mind? How long can I assume that a token is validated?
- How can I implement RBAC inside my API using that token (e.g. where in the Token do I find the claims that state which groups a user belongs to?)
- What security best practices do I need to follow when handling access tokens (aside from using HTTPS)
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Navya 9,565 Reputation points Microsoft Vendor2024-09-04T06:52:33.88+00:00 Hi @xdf1038
Thank you for posting this in Microsoft Q&A.
I understand that you are trying to implement authentication with Microsoft Entra Verified ID on the backend of your web application, and you are having trouble validating and verifying the access token that is generated by the frontend Next-Auth library.
To validate and verify the token, you need to send it to the Microsoft Identity Platform's token validation endpoint. This endpoint will check the token's signature, audience, and other claims to ensure its valid. Once you've validated the token, you can use the extracted claims to authenticate the user. Any JWT token validation package should work fine, and it's recommended, especially for signature validation. Try jsonwebtoken. Also, take a look at Validate tokens.
The default lifetime of an access token is variable. When issued, an access token's default lifetime is assigned a random value ranging between 60-90 minutes (75 minutes on average). The default lifetime also varies depending on the client application requesting the token or if Conditional Access is enabled in the tenant.
When decoding an access token, you can identify Entra groups such as security groups and roles assigned to a user within the token.
When handling access tokens, it is important to follow security best practices to ensure that they are not compromised or stolen. Some best practices include using HTTPS, encrypting the access token, and using short-lived access tokens that expire after a certain period of time.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
-
xdf1038 0 Reputation points
2024-09-04T07:35:17.5066667+00:00 How do I correctly call the token validation endpoint? What's the exact URL and parameters?The page you linked does not state that.
Also the page you linked refers to regular JWTs with 3 parts (2 dots)
I have a token with 4 dots that cannot be decoded in https://jwt.ms in the cookie that is set by Microsoft after successful sign in in the frontend app.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Ben Gimblett 4,330 Reputation points Microsoft Employee2024-09-06T13:18:47.2666667+00:00 @xdf1038 Whilst Entra can be configured to issue JWEs (which is what you are referring to) you would have needed to opt into it as per https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Decryption this article. And it doesnt sound like you did (otherwise you'd have mentioned it)
I dont know too much about next-auth (your colleague may be able to help) but rooting around their docs it suggests v4 of next-auth itself encrypts JWT as JWE by default under certain circumstances (apparently to do with how you want to manage session)
REF https://next-auth.js.org/faq
Taking a step back , in general with oauth the front end logs in using OIDC and gets an ID token back from entra and either optionally can also have an access token returned representing the user or the front end can request that separately (there's also a dance around token storage and refresh) and the access token is attached to the request to the backend API as a bearer header.
Hope this helps
-
xdf1038 0 Reputation points
2024-09-10T14:11:41.4966667+00:00 Thank you very much, I'll read through all the resources but things have become a bite more clear already :)
Sign in to comment
Sign in to answer