none
Validate JWT Policy at APIM - gives error - Signature validation failed. Unable to match keys RRS feed

  • Question

  • I am trying to implement - Protecting APIs using OAuth 2.0  with Azure AD and API management by following this article.

     

    I have successfully created all the steps defined like App registrations (Client app and back end app), Granted permissions, Enabled Oauth 2.0 etc. 

    While testing it from the developer portal, I have selected "Authorization Code" in the drop down which gave me bearer token as well. So far so good.

     

    What I am trying to do next is Configure a JWT validation policy to pre-authorize requests at APIM Level.

     

    By going to this site, I copied  the Policy sample for "Azure Active Directory B2C token validation "section and Changed the params accordingly as shown below.

     

    <inbound>

    <base />

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">

    <openid-configurl="https://login.microsoftonline.com/tfp/mytenant.onmicrosoft.com/B2C_1_myapp/v2.0/.well-known/openid-configuration" />

    <required-claims>

    <claim name="aud">

    <value>{APP-id of the back end App of App registration}</value>

    </claim>

    </required-claims>

    </validate-jwt>

    </inbound>

     

    When I try to call the backend API (GetSpeakers) in the Demo Conference API within APIM, I get the following error.

     

    On error

    validate-jwt (98 ms)

    {     "message": "JWT Validation Failed: IDX10501: Signature validation failed. Unable to match keys: \nkid: 'BB8CeFVqyaGrGNuehJIiL4dfjzw', \ntoken: '<token>'.." }

     

    I have been struggling for the past 2 days. Can some help me on what I am missing here ? Help please…!!

     

    Thanks in Advance!

    -Mathew James



    Friday, November 15, 2019 11:25 AM

All replies

  • Could you try to compare the aud claim with the full app id instead? It looks like api://<client-id>.

    image


    Friday, November 15, 2019 3:13 PM
    Moderator
  • Thank you Pramod for the response. I tried the same and it gives same error. Just another thought, does it have anything to deal with "Scopes defined by this API"  ? 

    In fact I defined my own scope name like "my-API-Scope". Any thoughts ?

    Thanks!
    -Mathew

    Saturday, November 16, 2019 6:46 AM
  • Can you check your token here https://jwt.io/ and see if the token is a valid one and has the same aud as you policy is expecing?

    Pi_xel_xar

    Blog: My Blog

    BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/

    Monday, November 18, 2019 8:32 AM
  • I just entered in and here is the result.

    {
      "typ": "JWT",
      "alg": "RS256",
      "x5t": "BB8CeFVqyaGrGNuehJIiL4dfjzw",
      "kid": "BB8CeFVqyaGrGNuehJIiL4dfjzw"
    }

    {
      "aud": "api://e7191cef-ee03-4276-826c-1ef254d189aa",
      "iss": "https://sts.windows.net/e7520e4d-d5a0-488d-9e9f-949faae7dce8/",
      "iat": 1574083293,
      "nbf": 1574083293,
      "exp": 1574087193,
      "acr": "1",
      "aio": "AVQAq/8NAAAAtRlrJjIarBMNrpaq9XU3koFH+OOIrl4lJplSDm5TsUjeDFDW+NHrNSHIpmivSMWIS6wAD8ppr+8cgt1CCRZXMfhIMKiNZ2o9fw4FCGQqqks=",
      "amr": [
        "pwd",
        "mfa"
      ],
      "appid": "52282bb8-ff96-4954-ad39-1d3bde788e0e",
      "appidacr": "1",
      "family_name": "Jerry",
      "given_name": "Mathew",
      "ipaddr": "103.194.69.216",
      "name": "Mathew Jerry",
      "oid": "58e4a46f-bdb0-42fd-8959-bf4c85be43d5",
      "onprem_sid": "S-1-5-21-1078081533-1757981266-682003330-17465572",
      "scp": "Bonsai-API-Scope",
      "sub": "tOwD92q39XpNNw2zD_-IwOYJd9W7D-195HDaQhJzmUI",
      "tid": "e7520e4d-d5a0-488d-9e9f-949faae7dce8",
      "unique_name": "GD000007910@ups.com",
      "upn": "GD000007910@ups.com",
      "uti": "4IiCtUpj0UelSdvQsqmVAA",
      "ver": "1.0"
    }

    verify Signature it says Signature Verified

    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnYf1jpn7cFdQK2VuZevo
    fmjBjLXldOXe92k5ktSSTg5X0sywHWmGM2n7CCXbx4CCs01+7gFNWUd1H3Ho1OtK
    IhqmxiPPMTPiY6ZGHUHDm0nGK3RUQafTT9kQ2eJOOB4QViAMdjCOt9lDp0REEWLD
    U5BvYgbl/cou3H3aVRd4hntm9No+RSlzhB3rBBmZaDM+pYWhxGwkBMbJnNeKJdBS
    tz1xWqbVvCzc/SUUFyo22/4AoNgpPkhFguzIKS55AL1HotQKxlUPttUiR5C4DeJ6
    EkogQCWT97ePkThVoJGzrjZqNv/P2QHJOXbEvaTQB5kZzz9FzLtJCfQsFwk1kan9
    IwIDAQAB

    Pi_xel_xar, Can you look at and let me know whether I am missing anything ?

    Thanks in Advance!
    -Mathew

    Monday, November 18, 2019 1:44 PM
  • your aud is : api://e7191cef-ee03-4276-826c-1ef254d189aa

    verify that: {APP-id of the back end App of App registration} is the same value

    <claim name="aud">

    <value>{APP-id of the back end App of App registration}</value>

    </claim>


    Pi_xel_xar

    Blog: My Blog

    BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/

    Monday, November 18, 2019 7:31 PM
  • I have applied the same. Here is my full policy detail.

    <policies>
    <inbound>
    <base />
    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/e7520e4d-d5a0-488d-9e9f-949faae7dce8/v2.0/.well-known/openid-configuration" />
    <required-claims>
    <claim name="aud">
    <value>api://e7191cef-ee03-4276-826c-1ef254d189aa</value>
    </claim>
    </required-claims>
    </validate-jwt>
    </inbound>
    <backend>
    <base />
    </backend>
    <outbound>
    <base />
    </outbound>
    <on-error>
    <base />
    </on-error>
    </policies>

    Tuesday, November 19, 2019 5:43 AM
  • So this still fails with the same error ?

    You have <base/> policy execution before the jwt validation.

    Can you check if you have anything there that is causing failure.

    Base policy will be the policy that is on

    1. Global scope
    2. Product scope
    3. API scope
    4. Operation scope


    Pi_xel_xar

    Blog: My Blog

    BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/


    • Edited by Pi_xel_xar Tuesday, November 19, 2019 8:53 AM
    Tuesday, November 19, 2019 8:13 AM
  •  Pi_xel_xar -

    That was a good information to me. 

    In fact I tried even removing <base/> first and it gave the same error. Also brought <base/> tage after <Validate-jwt> and even the result remained the same. 

    Now the error is

    validate-jwt (62 ms)
    {
        "message": "JWT Validation Failed: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/e7520e4d-d5a0-488d-9e9f-949faae7dce8/'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://login.microsoftonline.com/e7520e4d-d5a0-488d-9e9f-949faae7dce8/v2.0'.."
    }

    Thanks!

    -Mathew

     

    Tuesday, November 19, 2019 9:48 AM
  • How are you geting the OAuth token.

    YOur issuer looks like: https://sts.windows.net/e7520e4d-d5a0-488d-9e9f-949faae7dce8/

    The issuer needs to be the https://login.microsoftonline.com/e7520e4d-d5a0-488d-9e9f-949faae7dce8/v2.0

    The error points to this.


    Pi_xel_xar

    Blog: My Blog

    BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/

    Tuesday, November 19, 2019 10:36 AM
  • Exactly. I don't have any idea how come its coming as 

    https://sts.windows.net/e7520e4d-d5a0-488d-9e9f-949faae7dce8/ 

    when it should have been 

    https://login.microsoftonline.com/e7520e4d-d5a0-488d-9e9f-949faae7dce8/v2.0.

    Although I took screenshot of every scenario, I am unable to insert the image. Can you also help me what should i do so that they can verify my account so that i can insert images ?

    Thanks!
    -Mathew



    Tuesday, November 19, 2019 11:43 AM