resource-api is not validating token signatures

[mrochon]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [X ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

1. Configure with a valid api registration in AAD
2. Use Postman client to get an access token to the configured API
3. Modify the token by changing some of the signature characters (even one)
4. Call the API with the new token
5. Note that the API does not reject the token

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Versions

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[bgavrilMS]

Which sample is this @mrochon ?

[bgavrilMS]

We should take a look at this. I assume it's the web api sample.

[mrochon]

been a long while so not sure but I think it's this one: https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api/resource-api