Context
I'm using the strapi-plugin-sso to integrate Azure AD SSO with my Strapi Admin Panel. The plugin completes the login flow successfully, and I'm redirected back to Strapi.
Problem
After login, I tried to verify the access token (received from Azure AD) using https://jwt.io/, but I consistently get:
"Invalid Signature"
Even though the JWT structure and payload appear valid, the signature fails to verify.
My Attempts to Investigate
Since I needed to use the access token in other parts of my app (e.g., middleware), I implemented an interceptor that overrides axios.post temporarily, so I can capture the token when the plugin sends the request to:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Here's a simplified version of what I did:
const originalAxiosPost = axios.post;
axios.post = async function (url, data, config) {
const result = await originalAxiosPost.call(this, url, data, config);
if (url.includes('oauth2/v2.0/token') && result.data?.access_token) {
ctx.cookies.set('azure_user_access_token', result.data.access_token, secureOptions);
}
return result;
};
The interception works, and I can read the token — but the signature still shows as invalid on jwt.io.
What I suspect
I understand that JWTs issued by Azure AD are signed with a private key, and require the correct public key from Microsoft’s JWKS endpoint to verify.
So I wonder:
Does the plugin return access tokens meant for a specific audience that jwt.io can't verify without explicitly providing the correct public key?
Could the token be a reference token or encrypted, rather than a self-contained JWT?
Is there a reliable way to expose or verify the access token's signature using the plugin?
Is there an option in the plugin to expose the full token response (for debugging purposes)?
Expected Behavior
Either:
The access token should be verifiable (if it's a standard JWT)
Or documentation should clarify what kind of token is returned, and how to validate it
Any guidance or clarification would be greatly appreciated.
Thank you for the great work on the plugin!
Context
I'm using the strapi-plugin-sso to integrate Azure AD SSO with my Strapi Admin Panel. The plugin completes the login flow successfully, and I'm redirected back to Strapi.
Problem
After login, I tried to verify the access token (received from Azure AD) using https://jwt.io/, but I consistently get:
"Invalid Signature"
Even though the JWT structure and payload appear valid, the signature fails to verify.
My Attempts to Investigate
Since I needed to use the access token in other parts of my app (e.g., middleware), I implemented an interceptor that overrides axios.post temporarily, so I can capture the token when the plugin sends the request to:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Here's a simplified version of what I did:
const originalAxiosPost = axios.post;
axios.post = async function (url, data, config) {
const result = await originalAxiosPost.call(this, url, data, config);
if (url.includes('oauth2/v2.0/token') && result.data?.access_token) {
ctx.cookies.set('azure_user_access_token', result.data.access_token, secureOptions);
}
return result;
};
The interception works, and I can read the token — but the signature still shows as invalid on jwt.io.
What I suspect
I understand that JWTs issued by Azure AD are signed with a private key, and require the correct public key from Microsoft’s JWKS endpoint to verify.
So I wonder:
Does the plugin return access tokens meant for a specific audience that jwt.io can't verify without explicitly providing the correct public key?
Could the token be a reference token or encrypted, rather than a self-contained JWT?
Is there a reliable way to expose or verify the access token's signature using the plugin?
Is there an option in the plugin to expose the full token response (for debugging purposes)?
Expected Behavior
Either:
The access token should be verifiable (if it's a standard JWT)
Or documentation should clarify what kind of token is returned, and how to validate it
Any guidance or clarification would be greatly appreciated.
Thank you for the great work on the plugin!