Site icon Hip-Hop Website Design and Development

Decode and Decrypt Azure B2C OpenID Authorization Token, Use Response in API Call (Example Token Within)

I have been provided with a working Azure AD B2C application, and my goal is to use it to facilitate a means of access control to particular content.

Using that application URL, a successful login/authentication results in a redirect (in accordance with the redirect-URI) with an id_token appended. Here’s an example:

https://dev.domain.org/#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkxKTnZUd1g3Wm9qZnRHUWhXUEdid0hpZExzU3VSVEYyRDh2WjA4d3lpbjgifQ.eyJleHAiOjE2Mzk0OTgwOTQsIm5iZiI6MTYzOTQ5NDQ5NCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9henRzdGIyYy5iMmNsb2dpbi5jb20vNTMxZWJiOTktYTVkOS00NmJhLWFkZTctM2MyNTk3YzMzNTBmL3YyLjAvIiwic3ViIjoiYXV0b3NpaWNwenIucWF0ZXN0aW5nQGNmYXFhLnRlc3RpbmF0b3IuY29tIiwiYXVkIjoiYjg4NDdkMzEtMzA3Ny00Y2M1LThmNGUtYmU4ZmMzODUxNzk0IiwiYWNyIjoiYjJjXzFhX2N1c3RvbWVybm9waWRfY2ZhX3NpZ251cF9zaWduaW5fYjJjbG9naW4iLCJub25jZSI6ImRlZmF1bHROb25jZSIsImlhdCI6MTYzOTQ5NDQ5NCwiYXV0aF90aW1lIjoxNjM5NDk0NDk0LCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjIwMDcwNDQ2MCIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3ZlbmRvcmlkIjoiODExNDI4MTAxIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIjoiYXV0b3NpaWNwenIucWF0ZXN0aW5nQGNmYXFhLnRlc3RpbmF0b3IuY29tIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImF1dG9zaWljcHpyLnFhdGVzdGluZ0BjZmFxYS50ZXN0aW5hdG9yLmNvbSIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2dpdmVubmFtZSI6Im1BRmRDIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSI6InBabktxIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9hY2Nlc3Njb250cm9sc2VydmljZS8yMDEwLzA3L2NsYWltcy9pZGVudGl0eXByb3ZpZGVyIjoiQXp1cmVCMkMifQ.Nwx_uH9hbo0OHoeOlq0YYgS5rLqJK_PV5WulIlfnl4z-tY6jGF_jjEZ7VLpNGD9qivy70E1mfoxOuVkFPTIidScmMJSu_Ps5sNgvxLHNPPI_n5ufDcVo2zztAfS-SCLHXlLGsMXnfjDwDzEO2GQaCM3U66VaVzVXeeMVPSW0VBbyt3TM3jhnPE8BML5YqTWg0OMYFMUivRth1Ydf6sjbSvJzWsRNOv2I6NC2iAicVZ-mQAiBF2QJJPxPMHdwmwxt-qiA81q69BiylGlUFQQ3MthiJ1BztjtIGUYLgs6kI09-YPt881UjsFbVpS0D1CAs3PiqtQ1dgp0DHLmSz7c4oA

The value of the id_token is encoded and encrypted, so it will need to be decoded and then decrypted. The encoding is Base 64 and the encryption is specified after decoding, which I believe should be easily handled by open source libraries (but I’ve failed to figure out how). Using jwt.io, I can tell you that the decoded and decrypted data contains first name, last name, email address and the member’s ID in this format:

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/vendorid":"811428101",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":"autosiicpzr.qatesting@cfaqa.testinator.com",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"autosiicpzr.qatesting@cfaqa.testinator.com",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"mAFdC",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"pZnKq",
"http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider":"AzureB2C"

The member ID is returned as ‘vendorId’. So in the above example, the member/vendor ID (811428101) would then be used to look up the user’s membership status via an API I have access to.

Using vanilla Javascript or PHP, how do I decode and decrypt the response and store it for use (the vendorId parameter, most crucially) in the subsequent API query?

If helpful, the API request URL would look something like this:

https://apigateway.test.domain.org/TestPublic/users/{vendorId}