We have a multitenant AD app setup for issuing tokens to a cloud service we run. We want to do issuer whitelisting such that only certain AD tenants can access. For this we use the
validate-jwt policy in APIM.
However, it seems to me that issuers are not being correctly evaluated. Say I have a token with the
iss field set as
Here is a
validate-jwt policy :
<validate-jwt header-name="Authorization" failed-validation-httpcode="401"> <openid-config url="https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration" /> <audiences> <audience>my-app</audience> </audiences> <issuers> <issuer>https://login.microsoftonline.com/my-company/v2.0</issuer> </issuers> </validate-jwt>
I would expect that this policy would approve tokens issued by
my-company and reject tokens issued by
Based on my testing today however, this is not the case - Both tokens are approved. This indicates to me that the issuer part of the policy is not correctly evaluated.
If I add this segment to my policy, the issuers are validated as expected (
my-company is approved,
other-company is rejected).
<required-claims> <claim name="iss" match="any"> <value>https://login.microsoftonline.com/my-company/v2.0</value> </claim> </required-claims>
Is this a fault/bug of the APIM policy or am I missing something here?