Validating the correct username from the database using javascript

For more security considerations for bearer tokens, see RFC 6750 Section 5.

Validating the correct username from the database using javascript

Because the JWTs issued by the v2.0 endpoint are signed but not encrypted, you can easily inspect the contents of a JWT for debugging purposes.

For more information about JWTs, see the JWT specification.

The v2.0 endpoint supports the OAuth 2.0 authorization protocol, which uses access tokens and refresh tokens.

The v2.0 endpoint also supports authentication and sign-in via Open ID Connect.

Although a party must authenticate with Azure AD to receive the bearer token, if steps are not taken to secure the token during transmission and storage, it can be intercepted and used by an unintended party.

Some security tokens have a built-in mechanism to prevent unauthorized parties from using them, but bearer tokens do not.

Your app should not break when new claims are introduced.

The following list includes the claims that your app currently can reliably interpret.

In ID tokens, the audience is your app's Application ID, assigned to your app in the Microsoft Application Registration Portal.

Your app should validate this value, and reject the token if the value does not match.

The same security principles apply when storing or caching bearer tokens for later use.

Tags: , ,