ValidateAADJwt.psm1
using namespace System.Security.Cryptography.X509Certificates using namespace System.Security.Cryptography class TokenExpiredException : System.Exception { TokenExpiredException ([string] $Message) : base($Message){ } } class TokenVersionValidationFailedException : System.Exception { TokenVersionValidationFailedException ([string] $Message) : base($Message){ } } class TokenAudienceValidationFailedException : System.Exception { TokenAudienceValidationFailedException ([string] $Message) : base($Message){ } } class TokenSignatureValidationFailedException : System.Exception { TokenSignatureValidationFailedException ([string] $Message) : base($Message){ } } class TokenAzpacrValidationFailedException : System.Exception { TokenAzpacrValidationFailedException ([string] $Message) : base($Message){ } } class TokenAzpValidationFailedException : System.Exception { TokenAzpValidationFailedException ([string] $Message) : base($Message){ } } class TokenIssValidationFailedException : System.Exception { TokenIssValidationFailedException ([string] $Message) : base($Message){ } } class TokenUnusableException : System.Exception { TokenUnusableException ([string] $Message) : base($Message){ } } Function Add-PublicKeysToCache { [cmdletbinding()] param( [parameter(Mandatory)] [string]$Kid ) Write-Verbose 'Add-PublicKeysToCache - Begin function' $HOMEPath = Get-HomePath $FullPath = Join-Path -Path $HOMEPath -ChildPath ".validateaadjwt" -AdditionalChildPath $Kid $x5c = Find-AzureX5c -Kid $Kid Write-Verbose 'Add-PublicKeysToCache - Update cache with new value' Set-Content -Path $FullPath -Value $x5c -Force Write-Verbose 'Add-PublicKeysToCache - End function' } function ConvertTo-X509Certificate2 { [CmdletBinding()] [OutputType([System.Security.Cryptography.X509Certificates.X509Certificate2])] param( [parameter(Mandatory)]$x5c ) $ModCertInfo = @" -----BEGIN CERTIFICATE----- $($x5c) -----END CERTIFICATE----- "@ $cBytes = [System.Text.Encoding]::UTF8.GetBytes($ModCertInfo) [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($cBytes) } function Find-AzureX5c { [CmdletBinding()] param( [Parameter(Mandatory)][String]$Kid ) Write-Verbose 'Find-AzureX5c - Begin function' $ErrorActionPreference = 'Stop' try{ #According to https://docs.microsoft.com/fr-fr/azure/active-directory/develop/access-tokens#validating-tokens $uri = 'https://login.microsoftonline.com/common/.well-known/openid-configuration' $WellKnownInfo = Invoke-RestMethod -Uri $uri -Method GET $PublicAADKeysURI = $WellKnownInfo.jwks_uri Write-Verbose "Find-AzureX5c - AAD Keys URI: $PublicAADKeysURI" $AADPublicKeys = Invoke-RestMethod -Uri $PublicAADKeysURI -Method GET Write-Verbose "Find-AzureX5c - AAD Keys: $AADPublicKeys" #Let's see if your Kid (cert thumbprint) parameter exist in Azure. If empty means your token is a bad one. If exist, means we have to pick one of Azure pubkey. $UsedKey = $AADPublicKeys.keys.Kid -contains $Kid Write-Verbose "Find-AzureX5c - AAD Used Key: $UsedKey" if ($UsedKey) { #$X5c represent the public key that has been used to encrypt your token Write-Verbose "Find-AzureX5c - Get public key value" $x5c = $AADPublicKeys.keys | Where-Object { $_.Kid -eq $Kid } | Select-Object -ExpandProperty x5c Write-Verbose 'Find-AzureX5c - End function' } else { Write-Verbose 'Find-AzureX5c - End function' $x5c = $null } return $x5c } catch{ New-CustomExceptionGenerator -SignatureValidationFailed } } function Get-HomePath { [CmdletBinding()] param() Write-Verbose 'Get-HomePath - Begin function' if ($env:FUNCTIONS_WORKER_RUNTIME -eq 'Powershell') { Write-Verbose 'Get-HomePath - Azure function detected' $HOMEPath = [Environment]::GetEnvironmentVariable('TEMP') } elseif($IsLinux){ Write-Verbose 'Get-HomePath - Linux detected' $HOMEPath = [Environment]::GetEnvironmentVariable('HOME') } else{ Write-Verbose 'Get-HomePath - Windows detected' $HOMEPath = Join-Path $env:HOMEDRIVE $env:HOMEPATH } Write-Verbose 'Get-HomePath - End function' return $HOMEPath } Function Get-PublicKeysFromCache { [cmdletbinding()] param( [parameter(Mandatory)] [string]$Kid ) Write-Verbose 'Get-PublicKeysFromCache - Begin function' #Define $HOMEPath variable dependin the platform $HOMEPath = Get-HomePath $FullPath = Join-Path -Path $HOMEPath -ChildPath ".validateaadjwt" -AdditionalChildPath $Kid Get-Content -Path $FullPath Write-Verbose 'Get-PublicKeysFromCache - End function' } function New-CacheFolder { [CmdletBinding()] param() Write-Verbose 'New-CacheFolder - Begin function' $Path = Join-Path -Path $(Get-HomePath) -ChildPath ".validateaadjwt" $null = New-Item -Path $path -ItemType Directory -Force Write-Verbose 'New-CacheFolder - Cache folder created' Write-Verbose 'New-CacheFolder - End function' } function New-CustomExceptionGenerator { param( [Parameter(Mandatory=$true,ParameterSetName='TokenExpired')] [switch]$TokenExpired, [Parameter(Mandatory=$true,ParameterSetName='VersionValidationFailed')] [switch]$VersionValidationFailed, [Parameter(Mandatory=$true,ParameterSetName='AudienceValidationFailed')] [switch]$AudienceValidationFailed, [Parameter(Mandatory=$true,ParameterSetName='SignatureValidationFailed')] [switch]$SignatureValidationFailed, [Parameter(Mandatory=$true,ParameterSetName='AzpacrValidationFailed')] [switch]$AzpacrValidationFailed, [Parameter(Mandatory=$true,ParameterSetName='AzpValidationFailed')] [switch]$AzpValidationFailed, [Parameter(Mandatory=$true,ParameterSetName='IssuerFailed')] [switch]$IssuerValidationFailed, [Parameter(Mandatory=$true,ParameterSetName='TokenUnusable')] [switch]$TokenUnusable ) # This function is a wrapper to generate custom terminated exception from classes (look _CustomExceptions.ps1) $null = $MyError switch($PSBoundParameters.Keys){ 'TokenExpired'{ $MyError = [TokenExpiredException]::new('Token provided is expired') break } 'VersionValidationFailed'{ $MyError = [TokenVersionValidationFailedException]::new('Token provided does not use the 2.0 endpoint version') break } 'AudienceValidationFailed'{ $MyError = [TokenAudienceValidationFailedException]::new('Token provided does target the right audience') break } 'SignatureValidationFailed'{ $MyError = [TokenSignatureValidationFailedException]::new('The signature of the provided token cannot be verified') break } 'AzpacrValidationFailed'{ $MyError = [TokenAzpacrValidationFailedException]::new('Token provided are not sent by a public application') break } 'AzpValidationFailed'{ $MyError = [TokenAzpValidationFailedException]::new('Token provided are not sent by a trusted application') break } 'IssuerValidationFailed'{ $MyError = [TokenIssValidationFailedException]::new('Token issuer is not valid') break } 'TokenUnusable'{ $MyError = [TokenUnusableException]::new('Token provided are not usable') break } } throw $MyError } function Test-CacheFolder { [CmdletBinding()] [OutputType([Bool])] param() Write-Verbose 'Test-CacheFolder - Begin function' $Path = Join-Path -Path $(Get-HomePath) -ChildPath ".validateaadjwt" Write-Verbose 'Test-CacheFolder- End function' Test-Path $Path } Function Test-PublicKeysToCache { [cmdletbinding()] param( [parameter(Mandatory)] [string]$Kid ) Write-Verbose 'Test-PublicKeysToCache - Begin function' #Define $HOMEPath variable dependin the platform $HOMEPath = Get-HomePath $FullPath = Join-Path -Path $HOMEPath -ChildPath ".validateaadjwt" -AdditionalChildPath $Kid Write-Verbose 'Test-PublicKeysToCache - End function' Test-Path $FullPath } function Clear-PublicKeysCache { [CmdletBinding()] param() Write-Verbose 'Clear-PublicKeysCache - Begin function' $Path = Join-Path -Path $(Get-HomePath) -ChildPath ".validateaadjwt" Remove-Item -Path $Path Write-Verbose 'Clear-PublicKeysCache - End function' } function ConvertFrom-Jwt { <# .SYNOPSIS This function will decode a base64 JWT token. .DESCRIPTION Big thank you to both Darren Robinson (https://github.com/darrenjrobinson/JWTDetails/blob/master/JWTDetails/1.0.0/JWTDetails.psm1) and Mehrdad Mirreza in the comment of the blog post (https://www.michev.info/Blog/Post/2140/decode-jwt-access-and-id-tokens-via-powershell) I've used both article for inspiration because: Darren does not have header wich is a mandatory peace according to me and Mehrdad does not have signature which is also a mandatory piece. .PARAMETER Token Specify the access token you want to decode .EXAMPLE PS> ConvertFrom-Jwt -Token "ey...." "will decode the token" .NOTES VERSION HISTORY 1.0 | 2021/07/06 | Francois LEON initial version POSSIBLE IMPROVEMENT - #> [cmdletbinding()] param( [Parameter(Mandatory = $true)] [string]$Token ) Write-Verbose 'ConvertFrom-Jwt - Begin function' $ErrorActionPreference = 'Stop' $Token = $Token.Replace('Bearer ','') try { # Validate as per https://tools.ietf.org/html/rfc7519 # Access and ID tokens are fine, Refresh tokens will not work if (!$Token.Contains('.') -or !$Token.StartsWith('eyJ')) { Write-Error 'Invalid token' -ErrorAction Stop } # Extract header and payload $tokenheader, $tokenPayload, $tokensignature = $Token.Split('.').Replace('-', '+').Replace('_', '/')[0..2] # Fix padding as needed, keep adding '=' until string length modulus 4 reaches 0 while ($tokenheader.Length % 4) { Write-Debug 'Invalid length for a Base-64 char array or string, adding ='; $tokenheader += '=' } while ($tokenPayload.Length % 4) { Write-Debug 'Invalid length for a Base-64 char array or string, adding ='; $tokenPayload += '=' } while ($tokenSignature.Length % 4) { Write-Debug 'Invalid length for a Base-64 char array or string, adding ='; $tokenSignature += '=' } Write-Verbose "ConvertFrom-Jwt - Base64 encoded (padded) header:`n$tokenheader" Write-Verbose "ConvertFrom-Jwt - Base64 encoded (padded) payoad:`n$tokenPayload" Write-Verbose "ConvertFrom-Jwt - Base64 encoded (padded) payoad:`n$tokenSignature" # Convert header from Base64 encoded string to PSObject all at once $header = [System.Text.Encoding]::ASCII.GetString([system.convert]::FromBase64String($tokenheader)) | ConvertFrom-Json # Convert payload to string array $tokenArray = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($tokenPayload)) # Convert from JSON to PSObject $tokobj = $tokenArray | ConvertFrom-Json # Convert Expiry time to PowerShell DateTime $orig = (Get-Date -Year 1970 -Month 1 -Day 1 -hour 0 -Minute 0 -Second 0 -Millisecond 0) $timeZone = Get-TimeZone $utcTime = $orig.AddSeconds($tokobj.exp) $hoursOffset = $timeZone.GetUtcOffset($(Get-Date)).hours #Daylight saving needs to be calculated $localTime = $utcTime.AddHours($hoursOffset) # Return local time, # Time to Expiry $timeToExpiry = ($localTime - (get-date)) Write-Verbose 'ConvertFrom-Jwt - End function' [pscustomobject]@{ Tokenheader = $header TokenPayload = $tokobj TokenSignature = $tokenSignature TokenExpiryDateTime = $localTime TokentimeToExpiry = $timeToExpiry } } catch { New-CustomExceptionGenerator -TokenUnusable } } function Test-AADJWTSignature { <# .SYNOPSIS This function will validate Azure Active Directory token signature and other critical claims. .DESCRIPTION this function will also cache locally the public key used for the token signature to speed things up with offline token signature. .PARAMETER Token Specify the access token you want to verify. .PARAMETER TenantId Specify the Azure tenantId used to sign the token. .EXAMPLE PS> Test-AADJWTSignature -Token $AccessToken -TenantId "<my tenantid>" True means the token received is safe to use. .NOTES VERSION HISTORY 1.0 | 2023/003/27 | Francois LEON initial version POSSIBLE IMPROVEMENT - #> [CmdletBinding()] [OutputType([Bool])] param( [Parameter(Mandatory)][String]$Token, [Parameter(Mandatory)][string]$TenantId ) begin { Write-Verbose 'Test-AADJWTSignature - Begin function' # To avoid issue when we activate Azure func auth $AccessToken = $AccessToken.Replace('Bearer ','') if (-not $(Test-CacheFolder)) { New-CacheFolder } else { Write-Verbose 'Test-AADJWTSignature - Cache detected' } } process { $Jwt = ConvertFrom-Jwt -Token $Token -erroraction stop # Drop wrong token as quickly as possible # Azure expose only JWT Token with algorithm RS256, iss "https://login.microsoftonline.com/<tenantid>/v2.0" or "https://sts.windows.net/<tenantId>/" if ($Jwt.Tokenheader.typ -ne 'JWT') { Write-Verbose 'Test-AADJWTSignature - typ not equal JWT' New-CustomExceptionGenerator -TokenUnusable } if ($Jwt.Tokenheader.alg -ne 'RS256') { Write-Verbose 'Test-AADJWTSignature - typ not equal alg' New-CustomExceptionGenerator -TokenUnusable } $exp = (Get-Date 01.01.1970) + ([System.TimeSpan]::fromseconds($Jwt.TokenPayload.exp)) if ((New-TimeSpan -Start $(Get-Date -AsUTC) -End $exp).TotalSeconds -lt 0) { New-CustomExceptionGenerator -TokenExpired } $iss = @("https://login.microsoftonline.com/$tenantid/v2.0","https://sts.windows.net/$tenantid/") #v1 and v2 endpoint included if ($Jwt.TokenPayload.iss -notin $iss) { Write-Verbose 'Test-AADJWTSignature - not issued by Azure' New-CustomExceptionGenerator -TokenUnusable } if ($null -eq $Jwt.Tokenheader.kid) { Write-Verbose 'Test-AADJWTSignature - kid not defined' New-CustomExceptionGenerator -TokenUnusable } # Now it's time to read the signature $kid = $Jwt.Tokenheader.kid #Update cache if needed for offline signature check if (-not $(Test-PublicKeysToCache -Kid $kid)) { Write-Verbose 'Test-AADJWTSignature - No cache detected' Add-PublicKeysToCache -Kid $kid } $x5c = Get-PublicKeysFromCache -Kid $kid $x509 = ConvertTo-X509Certificate2 -x5c $x5c # Now we can calculate the signature try { Write-Verbose "Test-AADJWTSignature - Verifying JWT signature" $parts = $Token.Split('.') #Compute our hash $SHA256 = New-Object Security.Cryptography.SHA256Managed $computed = $SHA256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($parts[0] + '.' + $parts[1])) # Computing SHA-256 hash of the JWT parts 1 and 2 - header and payload # Grab signature we received $signed = $parts[2].replace('-', '+').replace('_', '/') # Decoding Base64url to the original byte array $mod = $signed.Length % 4 switch ($mod) { 0 { $signed = $signed } 1 { $signed = $signed.Substring(0, $signed.Length - 1) } 2 { $signed = $signed + '==' } 3 { $signed = $signed + '=' } } $bytes = [Convert]::FromBase64String($signed) # Conversion completed #Compare the two return $x509.PublicKey.Key.VerifyHash($computed, $bytes, [Security.Cryptography.HashAlgorithmName]::SHA256, [Security.Cryptography.RSASignaturePadding]::Pkcs1) # Returns True if the hash verifies successfully } catch { New-CustomExceptionGenerator -SignatureValidationFailed } } } Export-ModuleMember -Function 'Clear-PublicKeysCache', 'ConvertFrom-Jwt', 'Test-AADJWTSignature' |