How to verify JWT id_token produced by MS Azure AD?

Question

I have an angularjs SPA web app which uses ADAL-JS (and adal-angular). It\'s set up to authenticate vs our corporate AD in MS Azure. The log-in flow seems to work correctly,

Answer 1

Also, is there a (possibly python) library that can facilitate the verification of a given id_token as in the case above (so that I won't have to go grab the signing key on the fly myself?)... The best I could find (ADAL for python) doesn't seem to provide this feature?

For what it's worth, MSAL Python, which is ADAL Python's successor, validates the id token under the hood, and provides you the decoded claims inside an id token for your app. So that your app - which just obtained that id token via MSAL Python - can consume it locally.

Next, when the user clicks a button, the SPA makes a request to a REST API I am hosting on AWS API Gateway. I am passing the id_token on the Authorization: Bearer header. The API Gateway receives the header as intended, and now has to determine if the given token is good or not to either allow or deny access.

Usually id token is not used "on the Authorization: Bearer header" to send to 3rd party for authorization purpose. YMMV.