question

BHASKARBISWAS-1702 avatar image
0 Votes"
BHASKARBISWAS-1702 asked boyang-1761 commented

Azure APIM JWT token validation policy

Can some body tell me what is meant by the below error?


{"message":"JWT Validation Failed: IDX10501: Signature validation failed. Unable to match keys: \nkid: '714c28b0a8a547d997940eaa54d972f2', \ntoken: '{\"alg\":\"RS256\",\"typ\":\"JWT\",\"kid\":\"714c28b0a8a547d997940eaa54d972f2\"}.{\"aud\":\"18022020\",\"sub\":\"user-000-000-001\"}'.."}}]

azure-api-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

this may depends on how you get grab your toke, have you set the scope to the target application registed in AAD ?
take example you grab the token through postman, beside you set the body content of grant_type, client_id and client_secret, you need to specify the right scope just as the AAD registed app's [Application ID URI] end with ./default (api://4c54c82c-8888-9999-9999-3493eb78ef0f/.default)

0 Votes 0 ·
MikeUrnun avatar image
0 Votes"
MikeUrnun answered MikeUrnun edited

In case you haven't, be sure to specify key id property on <validate-jwt> policy such that it matches id in token:

<key id="714c28b0a8a547d997940eaa54d972f2...">....</key>

This will allow the policy to find the correct key to validate the token.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BHASKARBISWAS-1702 avatar image
0 Votes"
BHASKARBISWAS-1702 answered BHASKARBISWAS-1702 commented

Therefore, You mean to say the validate-jwt token is not able to determine the Kid value?

My Scenario

  1. I have Azure KeyVault and craeted a Key in it. For Example ,let say the Key-name is demoKey and its id is 714c28b0a8a547d997940eaa54d972f2.

  2. I have generated a JWT token by signing it by the private key of the Azure Key-Vault:- demoKey. created in step 1.


Jwt Token:- eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIiwia2lkIjoiNzE0YzI4YjBhOGE1NDdkOTk3OTQwZWFhNTRkOTcyZjIifQ.eyJhdWQiOiAiMTgwMjIwMjAiLCAgInN1YiI6ICJ1c2VyLTAwMC0wMDAtMDAxIn0.BGYsegSRl2RVXEYiqbeO5ewijEDRRfRnzoWpXw9_3VFmkojM2co_-NI726Y5YZv4SomaaEe-Ul9jApQcQfvfc3Ib9jsFebZgkmzf4FS8OdWJ0Y_quRugsyHsTnc3poFFzTlwDEzlEpDCzJwk06ogXyAKxRh1Ke73aAkwQVGzgUWkF4I6KYjFOydPSlONKyKglOqgepYZjXOGnQY_AXBwNOmnNSzKzrT49aBQ6TztPlcJddzSSYNX5DsTX9NuS5jrrvj0N6sKycovoUdoFseO1tsrPF-4OSpzm1IK66LR4I8UxLlM6S9a8DHh2sW2D51gPTusrnAtZ_rVxTZvwExeRw

  1. Now when I pass the JWT Token in the request and want to validate it by the public key of the Azure Key-Vault:- demoKey. created in step 1.

  2. I am getting the public key calling the Azure Key-vault demoKey URL. The below response I get when I call the URL


{
"key": {
"kid": "https://azure-host-name/keys/demoKey/714c28b0a8a547d997940eaa54d972f2",
"kty": "RSA",
"key_ops": [
"sign",
"verify",
"wrapKey",
"unwrapKey",
"encrypt",
"decrypt"
],
"n": "uCbTYEqdDzGPTspx-daXLuSPQYpgwhp98g9_CYidchyVv-UhKXpnqEUo16KEjFLAtIGoO-zP0O_USURR5E_XroccIA1ZE7ERLz87v32bZJk_ljtAAwNlAiXHrXXNFOZ6E1QsZY2LiBBAC5aKOVUL6iY2QC-FxocuIHrgcplPltRqwcyF9ftRUuA5rKiXJp1M8EJUg0i_6tUdcRQ9TxLZJ_7tCqgvKQXzS-0SRcuX6l3T8_-_DR-CNEM6v_EOjLNoTpZPgYM1qlIsnlICX812ADToQgqmPp5At810ACei2EtNgzNH0kDgNjaV8nX93MGo7Tjdnks_SJtqAyC8aylpww",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1583915663,
"updated": 1583915663,
"recoveryLevel": "Purgeable"
}
}

  1. This how I am using the Jwt-validation policy

<validate-jwt token-value="@{return (string)context.Variables["id_token"];}" failed-validation-httpcode="401" failed-validation-error-message="Failed Validation" output-token-variable-name="VerifyPlatformJWT">
<issuer-signing-keys>
<key>@{

             var publicKey = **"{<!-- -->{signing-key}}";** ===> This is the public key that I am using , which I got from step 4 (n)
             string padded = publicKey.Length % 4 == 0
             ? publicKey : publicKey + "====".Substring(publicKey.Length % 4);

             string base64 = padded.Replace("_", "/")
                               .Replace("-", "+");
                
              
             return Convert.ToBase64String(Convert.FromBase64String(base64));

             }</key>
         </issuer-signing-keys>


Am I doing anything wrong?




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @BHASKARBISWAS-1702 - Per my answer above, could you try adding id attribute to the <key> tag to see if that resolves it?

0 Votes 0 ·

It didn't worked.


I reiterate my scenario.

  1. Sign a payload with Azure-KeyVault key.

  2. Validate the payload signature by public key exposed by KeyVault.

I am getting the public key by calling the below url
https://demo.vault.azure.net/keys/demokeyname?api-version=7.0

0 Votes 0 ·
StigBuhlPoppKristensen-4562 avatar image
0 Votes"
StigBuhlPoppKristensen-4562 answered

Hi @BHASKARBISWAS-1702

if I understand this right you cant use RSA key only with certificate
https://docs.microsoft.com/da-dk/azure/api-management/api-management-access-restriction-policies#ValidateJWT
90775-image.png

Have you found a solution otherwise?


image.png (55.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.