question

DanielBangRothmann-5064 avatar image
0 Votes"
DanielBangRothmann-5064 asked MayankBargali-MSFT commented

Azure APIM Validate JWT policy is not evaluating token issuers correctly

Hi all,

We have a multitenant AD app setup for issuing tokens to a cloud service we run. We want to do issuer whitelisting such that only certain AD tenants can access. For this we use the validate-jwt policy in APIM.

However, it seems to me that issuers are not being correctly evaluated. Say I have a token with the iss field set as https://login.microsoftonline.com/other-company/v2.0.

Here is a validate-jwt policy :

<validate-jwt header-name="Authorization" failed-validation-httpcode="401">
    <openid-config url="https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration" />
    <audiences>
        <audience>my-app</audience>
    </audiences>
    <issuers>
        <issuer>https://login.microsoftonline.com/my-company/v2.0</issuer>
    </issuers>
</validate-jwt>


I would expect that this policy would approve tokens issued by my-company and reject tokens issued by other-company.

Based on my testing today however, this is not the case - Both tokens are approved. This indicates to me that the issuer part of the policy is not correctly evaluated.

If I add this segment to my policy, the issuers are validated as expected ( my-company is approved, other-company is rejected).

<required-claims>
    <claim name="iss" match="any">
        <value>https://login.microsoftonline.com/my-company/v2.0</value>
    </claim>
</required-claims>


Is this a fault/bug of the APIM policy or am I missing something here?

azure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered MayankBargali-MSFT commented

@DanielBangRothmann-5064 When you specify openid-config url, the issuers and signing keys are obtained from there. If you want to explicitly specify issuers, please remove the Open ID Connect Url.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OK that's good to know, thanks.

I don't think the documentation makes it clear that specifying the Open ID Connect configuration overrides the <issuers> tag - My expectation would have been that the issuer tags applies additional filtering on the allowed issuers specified the Open ID configuration which, in this case, allows any AD tenant.

0 Votes 0 ·
MayankBargali-MSFT avatar image MayankBargali-MSFT DanielBangRothmann-5064 ·

@DanielBangRothmann-5064 Thanks for your feedback. I will work with the content author for the document enhancement.

0 Votes 0 ·