Azure API with JWT token validation

Nayan Satish Nikumbh 6 Reputation points
2022-02-16T18:07:15.467+00:00

Hi,

I am developing an API for sending messages into teams.

Backend of this API is Logic App where i'm calling graph api to send the message to teams. A service principal is created for the purpose of authenticating the requests in the logic app.

I have implemented inbound request rules which will validate the user request using certificate thumbprint.

Everything ok till now, requests are getting validated using ocp-opim-subscription-key + certificates & the backend sends the message into teams.


Now instead of users sending me certificates and then uploading them, I want to instead implement JWT token validation, such that users should create tokens which can be validated with their requests.

For this I tried to configure snippet for inbound rules:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://login.microsoftonline.com/<tenant id>/v2.0/.well-known/openid-configuration" />
            <issuer-signing-keys>
                <key>Base64 Encoded Key</key>
            </issuer-signing-keys>
            <required-claims>
                <claim name="aud" match="all">
                    <value><app id></value>
                </claim>
            </required-claims>
        </validate-jwt>

To generate the JWT token I used this url : https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token with x-www-form-urlencoded
client_id : <id>
scope: https://graph.microsoft.com/.default
client_ secret: <secret>
grant_type: client_credentials

The token generated is sent in the Authorization header to my API. Now at this point am getting 401 Unauthorized exception.

Am I doing something wrong anywhere? please guide me. Thanks!

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,121 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Nayan Satish Nikumbh 6 Reputation points
    2022-03-03T09:39:19.693+00:00

    So I found the answer. I was missing a step in configuring the API i.e. setting up OAuth 2.0 service in developer portal.
    After doing this, I was able to validate jwt token.
    Also take care to remove the Authorization header before backend execution.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.