Azure APIM JWT token validation policy

Question

Can some body tell me what is meant by the below error?

{"message":"JWT Validation Failed: IDX10501: Signature validation failed. Unable to match keys: \nkid: '714c28b0a8a547d997940eaa54d972f2', \ntoken: '{\"alg\":\"RS256\",\"typ\":\"JWT\",\"kid\":\"714c28b0a8a547d997940eaa54d972f2\"}.{\"aud\":\"18022020\",\"sub\":\"user-000-000-001\"}'.."}}]

Answer 1

In case you haven't, be sure to specify key id property on <validate-jwt> policy such that it matches id in token:

<key id="714c28b0a8a547d997940eaa54d972f2...">....</key>

This will allow the policy to find the correct key to validate the token.

Answer 2

Therefore, You mean to say the validate-jwt token is not able to determine the Kid value?

My Scenario

1. I have Azure KeyVault and craeted a Key in it. For Example ,let say the Key-name is demoKey and its id is 714c28b0a8a547d997940eaa54d972f2.
2. I have generated a JWT token by signing it by the private key of the Azure Key-Vault:- demoKey. created in step 1.

Jwt Token:- eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIiwia2lkIjoiNzE0YzI4YjBhOGE1NDdkOTk3OTQwZWFhNTRkOTcyZjIifQ.eyJhdWQiOiAiMTgwMjIwMjAiLCAgInN1YiI6ICJ1c2VyLTAwMC0wMDAtMDAxIn0.BGYsegSRl2RVXEYiqbeO5ewijEDRRfRnzoWpXw9_3VFmkojM2co_-NI726Y5YZv4SomaaEe-Ul9jApQcQfvfc3Ib9jsFebZgkmzf4FS8OdWJ0Y_quRugsyHsTnc3poFFzTlwDEzlEpDCzJwk06ogXyAKxRh1Ke73aAkwQVGzgUWkF4I6KYjFOydPSlONKyKglOqgepYZjXOGnQY_AXBwNOmnNSzKzrT49aBQ6TztPlcJddzSSYNX5DsTX9NuS5jrrvj0N6sKycovoUdoFseO1tsrPF-4OSpzm1IK66LR4I8UxLlM6S9a8DHh2sW2D51gPTusrnAtZ_rVxTZvwExeRw

3. Now when I pass the JWT Token in the request and want to validate it by the public key of the Azure Key-Vault:- demoKey. created in step 1.
4. I am getting the public key calling the Azure Key-vault demoKey URL. The below response I get when I call the URL

{
"key": {
"kid": "https://azure-host-name/keys/demoKey/714c28b0a8a547d997940eaa54d972f2",
"kty": "RSA",
"key_ops": [
"sign",
"verify",
"wrapKey",
"unwrapKey",
"encrypt",
"decrypt"
],
"n": "uCbTYEqdDzGPTspx-daXLuSPQYpgwhp98g9_CYidchyVv-UhKXpnqEUo16KEjFLAtIGoO-zP0O_USURR5E_XroccIA1ZE7ERLz87v32bZJk_ljtAAwNlAiXHrXXNFOZ6E1QsZY2LiBBAC5aKOVUL6iY2QC-FxocuIHrgcplPltRqwcyF9ftRUuA5rKiXJp1M8EJUg0i_6tUdcRQ9TxLZJ_7tCqgvKQXzS-0SRcuX6l3T8_-_DR-CNEM6v_EOjLNoTpZPgYM1qlIsnlICX812ADToQgqmPp5At810ACei2EtNgzNH0kDgNjaV8nX93MGo7Tjdnks_SJtqAyC8aylpww",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1583915663,
"updated": 1583915663,
"recoveryLevel": "Purgeable"
}
}

5. This how I am using the Jwt-validation policy <validate-jwt token-value="@{return (string)context.Variables["id_token"];}" failed-validation-httpcode="401" failed-validation-error-message="Failed Validation" output-token-variable-name="VerifyPlatformJWT">
   <issuer-signing-keys>
   <key>@{

           var publicKey = **"{<!-- -->{signing-key}}";** ===> This is the public key that I am using , which I got from step 4 (n)
           string padded = publicKey.Length % 4 == 0
           ? publicKey : publicKey + "====".Substring(publicKey.Length % 4);
   
           string base64 = padded.Replace("_", "/")
                             .Replace("-", "+");
   
   
           return Convert.ToBase64String(Convert.FromBase64String(base64));
   
           }</key>
       </issuer-signing-keys>
   

Am I doing anything wrong?

Answer 3

Hi @BHASKAR BISWAS

if I understand this right you cant use RSA key only with certificate
https://learn.microsoft.com/da-dk/azure/api-management/api-management-access-restriction-policies#ValidateJWT

Have you found a solution otherwise?