`azure.cli.core._profile.Profile` sets `"verify_signature": False` when decoding the access token

[jiasli]

We received a security concern:

A critical security flaw in the azure-cli-core component was identified, where the JWT decoding process explicitly disables signature verification. This allows attackers to manipulate claims such as Tenant ID and Object ID in tokens, leading to identity spoofing and unauthorized access to cross-tenant data or metadata. The vulnerability resides in src/azure-cli-core/azure/cli/core/_profile.py. The jwt.decode method is invoked with the option {"verify_signature": False}.

[github-actions]

This issue is related to security. Please pay attention.

Powered by issue-sentinel

[jiasli]

This is not a valid security risk:

1. Azure CLI as a client application only extracts tenant ID from the access token:

   azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

   Line 234 in ad0bacc

   tenant = decode['tid']

   Unlike a service, the access token is not used to validate the identity of the user.
2. If the access token is modified, it becomes invalid and resource providers that receive the access token will simply reject it.
3. The access token is retrieved from eSTS via HTTPS protocol, preventing MITM attack.
4. Even if the local machine was compromised and the attacker is somehow able to alter the received access token, they can also change ~/.azure/azureProfile.json to modify the authentication context.
5. MSAL's decode_id_token doesn't verify the ID token's signature either: https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/2de45aeb534a05cfff0d85e96c4f330c102ef607/msal/oauth2cli/oidc.py#L86

[jiasli]

Also verified with Claude Opus 4.6 Copilot:

Now let me also verify the MSAL reference in the comment:Yes, the comment is valid and well-reasoned. Here's a breakdown of each point and why it holds up:

1. ✅ Azure CLI only extracts the tenant ID — it doesn't act as a resource server

The code confirms this. In _profile.py line 234:

decode = jwt.decode(token, algorithms=['RS256'], options={"verify_signature": False})
tenant = decode['tid']

The decoded token is only used to extract tid (tenant ID) and sometimes unique_name. Azure CLI is a client application — it never uses the access token to authorize incoming requests. The access token is sent to Azure resource providers (the servers), which are the ones responsible for validating it.

2. ✅ A modified access token will be rejected by resource providers

This is correct. Azure resource providers (ARM, etc.) do verify the token signature. If an attacker somehow modified the JWT payload (e.g., changing the tid claim), the signature would no longer match, and the resource provider would reject the request with a 401 Unauthorized.

3. ✅ The token is retrieved over HTTPS, preventing MITM

The access token is obtained from Microsoft's eSTS (Enterprise Security Token Service) over TLS. An attacker cannot intercept or modify the token in transit without breaking the TLS connection.

4. ✅ If the local machine is already compromised, skipping signature verification doesn't matter

If an attacker has local access to the machine, they could directly modify ~/.azure/azureProfile.json or the MSAL token cache. The verify_signature: False setting provides no additional attack surface beyond what already exists in a compromised-machine scenario.

5. ✅ MSAL Python itself doesn't verify the ID token signature either

This is confirmed in the MSAL source. At oidc.py line 86:

decoded = json.loads(decode_part(id_token.split('.')[1]))

MSAL's decode_id_token simply base64-decodes the payload — no cryptographic signature verification at all. The code even references OIDC spec section 6, which states that when the ID token is received via direct TLS communication with the token endpoint, TLS server validation MAY be used in place of checking the token signature.

Summary

The original security concern in the issue conflates client-side token parsing with server-side token validation. Signature verification is critical for resource servers that accept tokens to authorize requests. For a client application like Azure CLI that merely extracts metadata (tenant ID) from a token it just received over a secure channel, skipping signature verification is a standard, accepted practice — consistent with both the OIDC specification and Microsoft's own MSAL library.