Share via

Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid. TrackingId:537b0f0d-5639-4127-b04a-0b12c13dd2f4_G5

Sasidhar Parapudi 0 Reputation points
2024-01-15T12:51:43.02+00:00

Hi Guys, We are trying to grant access to a service bus topic/subscription in our tenant to our clients, using a multi tenant entra ID application. The below sample code works fine when we use our tenant id but returns un authorised error when we use any of the clients tenant id we get a token returned in all the cases. what are we missing ? any help is appreciated actual error -> Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid. TrackingId:537b0f0d-5639-4127-b04a-0b12c13dd2f4_G5 User's image

 

typescript
/ See https://aka.ms/new-console-template for more information
using Azure.Core;
using Azure.Identity;
using Azure.Messaging.ServiceBus;

Console.WriteLine("Hello, World!");
// The Service Bus client types are safe to cache and use as a singleton for the lifetime
// of the application, which is best practice when messages are being published or read
// regularly.
//
// Set the transport type to AmqpWebSockets so that the ServiceBusClient uses port 443. 
// If you use the default AmqpTcp, make sure that ports 5671 and 5672 are open.

// TODO: Replace the <NAMESPACE-NAME> placeholder
var clientOptions = new ServiceBusClientOptions()
{
    TransportType = ServiceBusTransportType.AmqpWebSockets
};

//var tenantId = "xxxx-xxxx-xxxx-xxxx-xxx"; //ours
//var tenantId = "xxxx-xxxx-xxxx-xxxx-xxxx"; //client
var tenantId = "xxxx-xxx-408d-95c7-ede4e214635e"; // Client
var tokenRequestContext = new TokenRequestContext(new string[] { "api://xxx-xxx-4ee5-9644-xxxxxx/.default" });


TokenCredential credential = new ClientSecretCredential(tenantId, "xxxxxxxxxxxxxxxxx", "xxxxxxxxxxxxxxxxxxx");
var tokenResponse = credential.GetTokenAsync(tokenRequestContext, new CancellationToken()).Result;
var x = tokenResponse.Token;
var client = new ServiceBusClient("xxxxxx.servicebus.windows.net", credential);



// create a processor that we can use to process the messages
// TODO: Replace the <QUEUE-NAME> placeholder
var receiver = client.CreateReceiver("xxxxxxxxx", "xxxxxxxxxxxx");
try
{


    var receivedMessage = await receiver.ReceiveMessageAsync();

    // get the message body as a string
    string body = receivedMessage.Body.ToString();
    Console.WriteLine(body);
}
catch (Exception ex)
{
    Console.WriteLine(ex.ToString());
}
finally
{
    // Calling DisposeAsync on client types is required to ensure that network
    // resources and other unmanaged objects are properly cleaned up.
    await receiver.DisposeAsync();
    await client.DisposeAsync();
}
Developer technologies ASP.NET ASP.NET Core
Microsoft Security Microsoft Entra Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ken Kam Hung, Lin 91 Reputation points
    2024-01-16T11:42:12.7266667+00:00

    Did you selected the supported account types to be Multitenants when you register the application to EntraID?

    https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

    To grant access to an Azure Service Bus topic/subscription for multiple tenants, you can use Shared Access Signatures (SAS). SAS allows you to grant access to Service Bus resources with specific rights. You can create Shared Access Policies at the level of a Service Bus namespace or at the level of an individual queue or topic. A Shared Access Policy can grant permissions to Manage, Send or Listen the resource.

    When working with a multitenant system that uses Service Bus, you need to make a decision about the level of isolation that you want to adopt. Service Bus supports several isolation models. Within your solution, you can use a specific Service Bus namespace for each tenant. This deployment approach provides your solution with the maximum level of isolation, with the ability to provide consistent performance per tenant. You can also fine-tune messaging capabilities for each tenant based on their needs, such as by using the following approaches:

    • Deploy the namespace to a region that’s close to the tenant.
    • Deploy a tenant-specific namespace with a pricing tier that’s appropriate to that tenant.
    • Apply networking restrictions based on the tenant’s needs.
    • Use tenant-specific encryption keys.

    Please note that the operational complexity of managing your namespaces increases as the number of tenants grows within your system over time.
    You may read more about enable Multi tenant to Service Bus.
    https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/service-bus

    I hope this helps!

  2. Navya 19,795 Reputation points Microsoft External Staff Moderator
    2024-01-23T04:05:37.7266667+00:00

    Hi @Sasidhar Parapudi
    Thank you for posting this in Microsoft Q&A. It says the "token issuer is invalid". That means it got an access token, but it was issued by the wrong Azure AD tenant. It seems you are using ClientSecretCredential authentication in your code. We have multiple authentication options support for service bus. Try to use another authentication like VisualStudioCredential directly, then simply specify the TenantId via VisualStudioCredentialOptions

    TokenCredential tokenCredential = new VisualStudioCredential(new VisualStudioCredentialOptions {TenantId = "xxxxxxx" });

    For your reference: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.visualstudiocredential?view=azure-dotnet

    Hope this helps. Do let us know if you any further queries. Thanks,
    Navya.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.