Share via

Azure APIM Validate JWT policy is not evaluating token issuers correctly

Daniel Bang Rothmann 21 Reputation points
2021-09-28T12:50:43.713+00:00

Hi all,

We have a multitenant AD app setup for issuing tokens to a cloud service we run. We want to do issuer whitelisting such that only certain AD tenants can access. For this we use the validate-jwt policy in APIM.

However, it seems to me that issuers are not being correctly evaluated. Say I have a token with the iss field set as https://login.microsoftonline.com/other-company/v2.0.

Here is a validate-jwt policy :

I would expect that this policy would approve tokens issued by my-company and reject tokens issued by other-company.

Based on my testing today however, this is not the case - Both tokens are approved. This indicates to me that the issuer part of the policy is not correctly evaluated.

If I add this segment to my policy, the issuers are validated as expected ( my-company is approved, other-company is rejected).

Is this a fault/bug of the APIM policy or am I missing something here?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,175 questions
0 comments
Accepted answer
  1. MayankBargali-MSFT 70,536 Reputation points
    2021-09-29T03:34:02.427+00:00

    @Daniel Bang Rothmann When you specify openid-config url, the issuers and signing keys are obtained from there. If you want to explicitly specify issuers, please remove the Open ID Connect Url.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. dumbterminal 6 Reputation points
    2022-06-29T20:38:54.77+00:00

    I noticed weird behaviour today with the validate-jwt policy.

    Although the documentation says that both audiences and issuers claims are optional, nowhere the documentation tells that the policy fails to validate token in cases where we validate the audiences without validating the issuers.

    e.g. with a valid JWT token passed to APIM,

    This policy snippet fails during validation i.e it returns unauthorized, if I am only validating audiences

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized Bearer Token" require-expiration-time="true" require-scheme="Bearer">
    <openid-config url="https://login.microsoftonline.com/my-tenant-id/v2.0/.well-known/openid-configuration"/>
    <audiences>
    <audience>api://cc3ce2f2-2b70-4c0b-8f3f-50f3698ac702</audience>
    </audiences>
    <required-claims>
    <claim name="roles" match="all">
    <value>data.read</value>
    </claim>
    </required-claims>
    </validate-jwt>

    While this works when I am validating both audiences and issuers.

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized Bearer Token" require-expiration-time="true" require-scheme="Bearer">
    <openid-config url="https://login.microsoftonline.com/my-tenant-id/v2.0/.well-known/openid-configuration"/>
    <audiences>
    <audience>api://cc3ce2f2-2b70-4c0b-8f3f-50f3698ac702</audience>
    </audiences>
    <issuers>
    <issuer>https://sts.windows.net/my-tenantid/</issuer>
    </issuers>
    <required-claims>
    <claim name="roles" match="all">
    <value>data.read</value>
    </claim>
    </required-claims>
    </validate-jwt>

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.