Azure API Management: authorization with Oauth2 401 gives "Unauthorized. Access token is missing or invalid."

Question

I have a few APIs (Logic Apps, Functions) that I want to expose through Azure API Management. They work fine, so I decided to add OAuth2 autorization.

I followed step by step https://docs.microsoft.com/fr-fr/azure/api-management/api-management-howto-protect-backend-with-aad :

• Register an application (backend-app) in Azure AD to represent the API.
• Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
• In Azure AD, grant permissions to allow the client-app to call the backend-app.
• Configure the Developer Console to call the API using OAuth 2.0 user authorization.
• Add the validate-jwt policy to validate the OAuth token for every incoming request.
• Also use Postman to test

Everything works until the "validate-jwt" policy step. When I add it, I get a "401 - Unauthorized. Access token is missing or invalid." I can get the token, in Developer Console and Postman, but as soon as I do the API call... 401!

When I used jwt.ms to check the content of the token, I noticed that the aud param has nothing to do with the backend Application ID. The value in the token is "00000003-0000-0000-c000-000000000000", whereas the backend app ID is like "16caXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXc0".

I'm running out of ideas and need the help of some Azure gurus out there! Help would be very much appreciated...

Here below the inbound policy as per the MS doc:

<policies>
    <inbound>
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
            <openid-config url="https://login.microsoftonline.com/MY_AD_TENANT_ID/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>MY8BACKEND_APP_ID_GUID</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </inbound>
    <backend>
        <forward-request />
    </backend>
    <outbound />
    <on-error />
</policies>

Screen cap of the Postman screen where I get the token (this works, but then when I send the request --> 401)

Screen cap of aud param in jwt.ms

Answer 1

You're not really required to check value of aud parameter. You could remove required-claims alltogether, this way token presence and signature would still be validated. If you want to make sure that token was issued for your app, just find the claim that contains app id and use it in name="..." to match against your app id value.

Answer 2

I had some problems with validating Azure AD tokens a couple of years back - see my write up .

I suspect the problem is the nonce in the JWT header.

Answer 3

如果使用 v2 版本端点，请转到 -> azure ad -> 应用注册 -> 选择后端应用 -> 清单 -> 更新属性 "accessTokenAcceptedVersion": 2,"