Share via

How to get jwt token for authentication in azure apim endpoint through Microsoft Actionable Message Card?

Luís Coelho 0 Reputation points
2023-10-18T09:52:19.91+00:00

We are developing an Actionable Message Card that calls an Azure APIM endpoint, but we are having problems authenticating, the response is always 401-Unauthorized.

This is the configuration of the Accept action:

"type": "Action.Http",
"id": "Accept",
"title": "Approve",
"method": "POST",
"url": "{foo_url}",
"body": "{bar_body}",
"headers": [
    {
        "name": "Authorization",
        "value": "{bearer token}"
    },
    {
        "name": "Content-type",
        "value": "application/json"
    },
    {
        "name": "Ocp-Apim-Subscription-Key",
        "value": "{foo_ocp-sub-key}"
    }
],
"isPrimary": true,
"style": "positive"

On the Azure APIM side:

The API security setting "User Authorization" is set to "No", however the jwt token is validated in the inbound policies. We are not sure this is the best approach, but it is what it is. We are open to suggestions about this as well. -Unauthorized. Even when using the same bearer token that works in the Postman request.

Using the same headers as in the action configuration in Postman, we have successfully called the API endpoint, but when pressing the "Approve" button in the Actionable Message Card the response is always 401-Unauthorized. Even when using the same bearer token that works in the Postman request.

Do you have any ideas about what could be causing this? And how to overcome it?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,446 questions
Outlook Windows Classic Outlook for Windows For business
Microsoft 365 and Office Install, redeem, activate For business Windows
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sonny Gillissen 3,751 Reputation points Volunteer Moderator
    2023-10-21T19:18:38.9033333+00:00

    Hi Luís Coelho ,

    Thank you for reaching out on Microsoft Q&A!

    First off: checking your JWT in the inbound policy is the correct way, as there is no other way to validate it. So this part is correct :-)

    When it comes to validating a call from Adaptive Cards you have to keep in mind that this call is routed through a backbone network from Microsoft, with its own tokens. So you should not check your token, but the tokens that are used by the backbone.

    The code snippet below shows you how you can achieve this:

    <validate-jwt header-name="Authorization" failed-validation-error-message="You are not authorized to perform this call" require-scheme="Bearer">
    <openid-config url="https://substrate.office.com/sts/common/.well-known/openid-configuration" />
    <issuers>
        <issuer>https://substrate.office.com/sts/</issuer>
    </issuers>
</validate-jwt>

    Please click “Accept answer” if you find this helpful. Feel free to drop additional queries in the comments below!

    Kind regards,

    Sonny

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.