Azure AD B2C - JWK

JSON Web Key (JWK) represents a set of public keys as a JSON object. This format is used to represent bare keys.

The following is a key example:

{
  "jwk": [
    {
      "alg": "EC",
      "crv": "P-256",
      "x": "{x_value}",
      "y": "{y_value}",
      "use": "enc",
      "kid": "1"
    },
    {
      "alg": "RSA",
      "mod": "{mod_value}",
      "exp": "AQAB",
      "kid": "2011-04-29"
    }
  ]
}

It’s possible to go from PEM format to JWK and from JWK to PEM.

Azure AD B2C creates and validates user flows with keys. It automatically rotates them, but they’re created as JWK and not PEM.
To validate the JWT we need to:

1. Go to the keys endpoint:
2. Copy JWK.
3. Convert to PEM.
4. Validate it with PEM public key.

As the documentation states the client needs to check periodically for new JWK keys, as they rotate them. A good period check is every 24 hours.

Reference(s)

https://openid.net/specs/draft-jones-json-web-key-03.html#anchor1
https://stackoverflow.com/questions/50816301/msal-access-token-invalid-signature
https://docs.microsoft.com/es-es/azure/active-directory-b2c/tokens-overview