Azure APIM JWT token validation policy

BHASKAR BISWAS 1 Reputation point
2020-09-25T14:12:36.837+00:00

Can some body tell me what is meant by the below error?

{"message":"JWT Validation Failed: IDX10501: Signature validation failed. Unable to match keys: \nkid: '714c28b0a8a547d997940eaa54d972f2', \ntoken: '{\"alg\":\"RS256\",\"typ\":\"JWT\",\"kid\":\"714c28b0a8a547d997940eaa54d972f2\"}.{\"aud\":\"18022020\",\"sub\":\"user-000-000-001\"}'.."}}]

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,663 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Mike Urnun 9,231 Reputation points Microsoft Employee
    2020-09-26T00:44:56.927+00:00

    In case you haven't, be sure to specify key id property on <validate-jwt> policy such that it matches id in token:

    <key id="714c28b0a8a547d997940eaa54d972f2...">....</key>

    This will allow the policy to find the correct key to validate the token.

    0 comments No comments

  2. BHASKAR BISWAS 1 Reputation point
    2020-09-26T12:09:32.557+00:00

    Therefore, You mean to say the validate-jwt token is not able to determine the Kid value?

    My Scenario

    1. I have Azure KeyVault and craeted a Key in it. For Example ,let say the Key-name is demoKey and its id is 714c28b0a8a547d997940eaa54d972f2.
    2. I have generated a JWT token by signing it by the private key of the Azure Key-Vault:- demoKey. created in step 1.

    Jwt Token:- eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIiwia2lkIjoiNzE0YzI4YjBhOGE1NDdkOTk3OTQwZWFhNTRkOTcyZjIifQ.eyJhdWQiOiAiMTgwMjIwMjAiLCAgInN1YiI6ICJ1c2VyLTAwMC0wMDAtMDAxIn0.BGYsegSRl2RVXEYiqbeO5ewijEDRRfRnzoWpXw9_3VFmkojM2co_-NI726Y5YZv4SomaaEe-Ul9jApQcQfvfc3Ib9jsFebZgkmzf4FS8OdWJ0Y_quRugsyHsTnc3poFFzTlwDEzlEpDCzJwk06ogXyAKxRh1Ke73aAkwQVGzgUWkF4I6KYjFOydPSlONKyKglOqgepYZjXOGnQY_AXBwNOmnNSzKzrT49aBQ6TztPlcJddzSSYNX5DsTX9NuS5jrrvj0N6sKycovoUdoFseO1tsrPF-4OSpzm1IK66LR4I8UxLlM6S9a8DHh2sW2D51gPTusrnAtZ_rVxTZvwExeRw

    1. Now when I pass the JWT Token in the request and want to validate it by the public key of the Azure Key-Vault:- demoKey. created in step 1.
    2. I am getting the public key calling the Azure Key-vault demoKey URL. The below response I get when I call the URL

    {
    "key": {
    "kid": "https://azure-host-name/keys/demoKey/714c28b0a8a547d997940eaa54d972f2",
    "kty": "RSA",
    "key_ops": [
    "sign",
    "verify",
    "wrapKey",
    "unwrapKey",
    "encrypt",
    "decrypt"
    ],
    "n": "uCbTYEqdDzGPTspx-daXLuSPQYpgwhp98g9_CYidchyVv-UhKXpnqEUo16KEjFLAtIGoO-zP0O_USURR5E_XroccIA1ZE7ERLz87v32bZJk_ljtAAwNlAiXHrXXNFOZ6E1QsZY2LiBBAC5aKOVUL6iY2QC-FxocuIHrgcplPltRqwcyF9ftRUuA5rKiXJp1M8EJUg0i_6tUdcRQ9TxLZJ_7tCqgvKQXzS-0SRcuX6l3T8_-_DR-CNEM6v_EOjLNoTpZPgYM1qlIsnlICX812ADToQgqmPp5At810ACei2EtNgzNH0kDgNjaV8nX93MGo7Tjdnks_SJtqAyC8aylpww",
    "e": "AQAB"
    },
    "attributes": {
    "enabled": true,
    "created": 1583915663,
    "updated": 1583915663,
    "recoveryLevel": "Purgeable"
    }
    }

    1. This how I am using the Jwt-validation policy <validate-jwt token-value="@{return (string)context.Variables["id_token"];}" failed-validation-httpcode="401" failed-validation-error-message="Failed Validation" output-token-variable-name="VerifyPlatformJWT">
      <issuer-signing-keys>
      <key>@{
              var publicKey = **"{<!-- -->{signing-key}}";** ===> This is the public key that I am using , which I got from step 4 (n)
              string padded = publicKey.Length % 4 == 0
              ? publicKey : publicKey + "====".Substring(publicKey.Length % 4);
      
              string base64 = padded.Replace("_", "/")
                                .Replace("-", "+");
      
      
              return Convert.ToBase64String(Convert.FromBase64String(base64));
      
              }</key>
          </issuer-signing-keys>
      

    Am I doing anything wrong?


  3. Stig Buhl Popp-Kristensen 1 Reputation point
    2021-04-23T11:20:41.9+00:00

    Hi @BHASKAR BISWAS

    if I understand this right you cant use RSA key only with certificate
    https://learn.microsoft.com/da-dk/azure/api-management/api-management-access-restriction-policies#ValidateJWT
    90775-image.png

    Have you found a solution otherwise?

    0 comments No comments