How to specify the x and y values of a ES256 JWK inside issuer-signing-key of validate-jwt in azure APIM

Question

How to specify the x and y values of a ES256 JWK inside issuer-signing-key of validate-jwt in azure APIM

sneha s 0

Hi Team.

I'm trying to make a request to a JWKS url and fetch the JWKs and store it in a context variable

Identified the key from the set of JWKs by matching the kid of the JWT with each kid from above fetched set of JWKs.

I have identified the key which has value for example :

signingKey = {

"kty": "EC",

"kid": "kid_value",

"use": "sig",

"alg": "ES256",

"x": "x_value",

"y": "y_value",

"crv": "P-256"

}

How to use the above inside issuer-signing-key of validate-jwt policy? Please help as I couldn't find any syntax on ES256. In the documentation only mentions about modulus and exponent for a RS256.

Also when I tried to convert the above key into base64 encoded and use it inside validate-jwt ,

<issuer-signing-keys> <key>@(Convert.ToBase64String(Encoding.UTF8.GetBytes(context.Variables.GetValueOrDefault<string>("signingKey"))))</key>

/issuer-signing-keys> ,

I get the error :

JWT Validation Failed: IDX10503: Signature validation failed.

The token's kid is: 'kid_value',

but did not match any keys in TokenValidationParameters or Configuration.

Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: '', InternalId: 'dsdsasdasNZXtEHeTeytRIjXJNdsdadasda'. ,

KeyId: \r\n'.

Number of keys in TokenValidationParameters: '1'. \n

Number of keys in Configuration: '0'.

\nExceptions caught:\n

'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.\nAlgorithm: 'ES256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey, KeyId: '', InternalId: 'VXkW1MNZXtsdadaeytRIjXJNhaaasad'.'

\n is not supported.

The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms\r\n at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)\r\n at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying(SecurityKey key, String algorithm, Boolean cacheProvider)\r\n at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, SecurityToken securityToken, TokenValidationParameters validationParameters)\r\n at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)\r\n'.\ntoken: 'hidden'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/SecurityArtifactLogging.]'. See https://aka.ms/IDX10503 for details.."

1 answer

Your answer

Answer 1

Sina Salam 22,031 Volunteer Moderator

Hello sneha s,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are in need to know how you can specify the x and y values of a ES256 JWK inside issuer-signing-key of validate-jwt in azure APIM.

I can see that in your statement, you are trying to use the JSON Web Key Set (JWKS) method to validate an ES256 (Elliptic Curve) JWT inside the validate-jwt policy of Azure API Management (APIM). Your approach indicates that you are trying to directly pass a JWK key into APIM which is not going to work.

Since, concatenating x, y, and crv with Base64 encoding is not valid for EC keys in APIM. Instead, use a PEM-formatted EC public key to resolve the SymmetricSecurityKey error and enable ES256 validation. Also, Azure APIM's validate-jwt policy does not natively support EC JWK parameters but can validate ES256 signatures with PEM-formatted keys.

So, you do not need to encode x, y, and crv directly (via concatenation or JWK JSON). Azure APIM’s validate-jwt policy only supports PEM-formatted EC keys for ES256 validation. The PEM approach is the only valid method because it ensures APIM recognizes the key as asymmetric (EC), resolving the SymmetricSecurityKey error and enabling proper signature validation. You can try to use a library to convert your JWK to PEM, and avoid workarounds that rely on APIM magically parsing non-standard formats.

Examples of how to do it, are the followings:

You can use Python’s cryptography library to convert your JWK into PEM format.

   from cryptography.hazmat.primitives.asymmetric import ec
   from cryptography.hazmat.primitives import serialization
   import base64
   # Example JWK (Replace these values with your actual ones)
   jwk = {
       "kty": "EC",
       "kid": "kid_value",
       "use": "sig",
       "alg": "ES256",
       "x": "x_value",  # Base64 URL-encoded
       "y": "y_value",  # Base64 URL-encoded
       "crv": "P-256"
   }
   # Decode x and y
   x_bytes = base64.urlsafe_b64decode(jwk["x"] + "===")
   y_bytes = base64.urlsafe_b64decode(jwk["y"] + "===")
   # Create public key object
   public_numbers = ec.EllipticCurvePublicNumbers.from_encoded_point(ec.SECP256R1(), b'\x04' + x_bytes + y_bytes)
   public_key = public_numbers.public_key()
   # Convert to PEM format
   pem_key = public_key.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
   ).decode()
   print(pem_key)  # This is the PEM key to use in APIM

Then use the PEM Key in Azure APIM’s validate-jwt Policy, once you have the PEM-encoded key, insert it into the validate-jwt policy:

   <validate-jwt header-name="Authorization"
                 failed-validation-httpcode="401"
                 failed-validation-error-message="Unauthorized">
       <issuer-signing-keys>
           <key>
               -----BEGIN PUBLIC KEY-----
               MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ...
               -----END PUBLIC KEY-----
           </key>
       </issuer-signing-keys>
       <valid-issuers>
           <issuer>https://your-issuer.com</issuer>
       </valid-issuers>
       <valid-audiences>
           <audience>your-audience</audience>
       </valid-audiences>
   </validate-jwt>

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

sneha s 0 Reputation points

2025-03-04T07:55:36.2533333+00:00

@Sina Salam Thanks for clarifying and providing the response.

I'm working on POC with the above solution for ES256.

In case of an asymmetric RS256 key , can the n and e values from JWKS url be directly used inside the signing key of validate-jwt ? or does it also need to be in some specific format like the PEM for ES256 key?
sneha s 0 Reputation points

2025-03-04T08:05:11.07+00:00

Hi @Sina Salam ,

Thank you very much for your input. I'm working on the POC for accommodating the changes for conversion into PEM format for ES256.

In case of a asymmetric RS 256 key , can the n and e values form JWKS URL be directly used inside the signing-issuer-key ? Or do they also need to be converted into any specific format before being used as signing key?

Thanks.

Sneha
Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-03-07T10:38:17.8866667+00:00
@Sina Salam ,

sneha s is working on a POC with your solution for ES256 and has a follow-up question:

In the case of an asymmetric RS256 key, can the n (modulus) and e (exponent) values from the JWKS URL be directly used inside the issuer-signing-key of the validate-jwt policy?

Or do they also need to be converted into a specific format, similar to how ES256 requires conversion into PEM format?

Could you please clarify this for them? Thank you for your expertise and support!
Sina Salam 22,031 Reputation points Volunteer Moderator

2025-03-10T17:33:43.82+00:00
Hello sneha s,

Thank you for your feedback.

For ES256:

Use the agent’s PEM conversion method.

Validate the PEM key with OpenSSL or an online tool (e.g., 8gwifi.org).

For RS256:

Use n and e directly in the policy.

Ensure n and e are base64url-encoded (not standard base64).

However, you can:

RS256 Key Handling:

Directly using n and e values as attributes within the <key> tag.

Example:
<issuer-signing-keys> <key n="modulus_base64url" e="exponent_base64url" /> </issuer-signing-keys>

Pros: Simplifies the configuration by avoiding JSON formatting.

Cons: Slightly less explicit but still valid per APIM documentation.

Or you can embed the entire JWK as a JSON string within the <key> tag.

Example
<key> { "kty": "RSA", "kid": "your-kid-value", "n": "your-base64url-encoded-modulus", "e": "your-base64url-encoded-exponent" } </key>

Pros: Closer to the actual JWK format and easier for dynamic processing.

Cons: Slightly more complex due to JSON wrapping.

Both approaches are valid and supported by Azure APIM. If simplicity is preferred, first is ideal. However, if you anticipate dynamic processing or alignment with standard JWK structures, second option is better.

The below is an example of using RS256 JWK in APIM validate-jwt Policy**

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized"> <issuer-signing-keys> <key> { "kty": "RSA", "kid": "your-kid-value", "n": "your-base64url-encoded-modulus", "e": "your-base64url-encoded-exponent" } </key> </issuer-signing-keys> <valid-issuers> <issuer>https://your-issuer.com</issuer> </valid-issuers> <valid-audiences> <audience>your-audience</audience> </valid-audiences> </validate-jwt>

Success.

sneha s 0

HI @Sina Salam

Are dynamic policy expression allowed inside

<key> {

"kty": "RSA",

"kid":

"your-kid-value",

"n": "your-base64url-encoded-modulus",

"e": "your-base64url-encoded-exponent"

}

</key>

for example : can variables rsaModulus and rsaExponent defined as dynamic policy expressions be used inside the json string inside <key>

<set-variable name="signingKey" value="@{
            var jwks = (JObject)context.Variables["jwks"];
            var kid = (string)context.Variables["kid"];
            var keys = jwks["keys"].Children<JObject>();
            var key = keys.FirstOrDefault(k => k["kid"].ToString() == kid);
         return key?.ToString();
        }" />

Line 2  <set-variable name="rsaModulus" value="@{
       var key = (Newtonsoft.Json.Linq.JObject)context.Variables["signingKey"];
      return key != null ? key["n"].ToString() : string.Empty;
    }" />

Line 3 <set-variable name="rsaExponent" value="@{
  var key = (Newtonsoft.Json.Linq.JObject)context.Variables["signingKey"];
      return key != null ? key["e"].ToString() : string.Empty;
    }" />	
	
<validate-jwt header-name="Authorization"
              failed-validation-httpcode="401"
              failed-validation-error-message="Unauthorized">
    <issuer-signing-keys>
  <key>
            {
                "kty": "RSA",
                "kid": "your-kid-value",
                "n": rsaModulus,
                "e": rsaExponent
            }
  </key>
</issuer-signing-keys>
</validate-jwt>

Share via

How to specify the x and y values of a ES256 JWK inside issuer-signing-key of validate-jwt in azure APIM

1 answer

Your answer