Validating the RSA signature on a signed JWT from Ping Federate

If we upgrade the JSON token project in this really old (by one!) memo to dotnet 4.5 and compile things using visual studio 2012 (upgrade2!) can we verify the JWT from Ping Identity’s Ping Federate server? Recall that a signed JSON object is subtly distinct from a signed JWT (intended to be used in token passing protocols). describes the validation procedure


Assume we forget all the Azure AD type concepts, and just do the bare minimum to verify a token, with a preconfigured cert.

So, lets install visual studio 2012 on our host (with the Ping Federate based OAUTH AS and STS) so we can compile our very trivial token decoder project against dot net 4.5. This also allows us to reference the JWT security token handler assembly, having installed the capability via nuget (searching on JWT)


Obviously, now, we have a reader for the base64(url) string encoding and a token reader:


Once we get the right (one-level verifying) cert loaded and more correctly identify the audience and issuer (i.e. swap the above), we get a verified principal:


at this point, we presumably go off and create a cert chain and check the cert is valid, re its chain, CRLDPs, OCSP pointers, etc etc.



Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in pingfederate. Bookmark the permalink.