APIM JWT Token Validation Policy Error on Issuer Key

Arslan Pervaiz 20 Reputation points
2023-07-08T06:09:13.8366667+00:00

I am using APIM to validate JWT Tokens and here is my policy looks

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
        <audience>68f3930e-0492-4642-8cd0-65d68a504dba</audience>
        <audience>7a20a24d-1bc7-4906-8dfc-c0e6dfd19d69</audience>
        <audience>ae901aaf-6bea-4e1b-902c-6851e4305b1b</audience>
        <audience>0d5b8f5e-4045-459c-99f1-a710ca8dd63e</audience>
        <audience>c37587ed-2974-4932-b87f-e51886ca378e</audience>
        <audience>2f96ac72-7887-4aa4-a02c-204288fe1ed8</audience>
        <audience>7c5dd291-edd7-4dc4-ad09-25ac006a0a42</audience>
    </audiences>
    <issuers>
        <issuer>https://login.microsoftonline.com/{TennatId}/v2.0/</issuer>
        <issuer>https://{Tennant}.b2clogin.com/38cf84e1-4cbb-4abb-8aa3-4c0f7107c585/v2.0/</issuer>
        <issuer>https://sts.windows.net/{TennatId}/</issuer>
    </issuers>
</validate-jwt>

I am specifying issuers so I can validate B2B and B2C JWT Tokens and also added Audience as well so it can validates the token generated by multiple applications. I am not specifying OpenId Config because there is explicit issuers are specified in my case.

I am getting this error

validate-jwt (-0.148 ms)
{
    "message": "JWT Validation Failed: IDX10500: Signature validation failed. No security keys were provided to validate the signature.."
}

I tried to specified the Issuer keys like this which I am getting this way
https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}
https://{Tennant}.b2clogin.com/{tennant}.onmicrosoft.com/B2C_1_si/discovery/v2.0/keys

I am retrieving multiple Kids and which I specified below but getting error on saving policy for "Not valid Base64 string"

 <issuer-signing-keys>
        <key>X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk</key>
        <key>Mr5-AUibfBii7Nd1jBebaxboXW0</key>
    </issuer-signing-keys>		

Please suggest what I am doing wrong in my case.

Thanks

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,267 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,970 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ben Gimblett 4,540 Reputation points Microsoft Employee
    2023-07-10T10:59:05.7833333+00:00

    I think you need to provide more to the validator ref the key element

    In the example you pasted into your question you only provide the public key identifier (KID or ID) . Try also adding the "n" and "e" values (from the json returned from B2C keys URL)

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. MuthuKumaranMurugaachari-MSFT 22,381 Reputation points
    2023-07-10T16:23:45.4166667+00:00

    Arslan Pervaiz Thanks for posting your question in Microsoft Q&A. Based on the discussion, you are looking to specify issuer-signing-keys instead of specifying openid-config and got error message "Not valid Base64 string".

    You would need to specify keys as Base64 encoded signing key and the sample value X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk is not base64 string according to online tools such as https://onlinebase64tools.com/validate-base64. In the policy snippet, you can convert the key string to base64 using <set-variable name="base64Key" value="@(Convert.ToBase64String(Encoding.UTF8.GetBytes("X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk")))" /> and use base64 string (validated it is base64 in the online tool) in that section like below:

    <issuer-signing-keys>
                <key>@((string)context.Variables["base64Key"])</key>
    </issuer-signing-keys>
    

    I see similar discussion in your SO thread and this should help in mitigating the above error. If you face any other issues or questions, let us know. Would be happy to answer.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.