stackoom
  简体   繁体   中英

Azure APIM JWT token validation fails with unclear error

 原文  2023-04-27 10:10:07       azure/ jwt/ azure-api-management

Question

I configured a policy in Azure Api Management which includes a jwt token check. The policy is as is follows:

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401"
                   require-expiration-time="false" require-scheme="Bearer" require-signed-tokens="true">
            <issuer-signing-keys>
                <key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmwIDAQAB</key>
            </issuer-signing-keys>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

The test request I send contains the Authorization Header with value Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ

When I enter this key with -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- and the token in jwt.io it says Signature Verified.

However, in API Management when I send a test request with trace enabled I get the following error which I do not understand:

validate-jwt (-1.088 ms)
{
 "message": "JWT Validation Failed: IDX10503: Signature validation failed.
 Token does not have a kid. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
 KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'. ,
 KeyId: \r\n'. Number of keys in TokenValidationParameters: '1'. \n
 Number of keys in Configuration: '0'. \nExceptions caught:
 \n 'System.NotSupportedException: IDX10634: Unable to create the 
 SignatureProvider.\nAlgorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey,
 KeyId: '', InternalId: 'D3UHVKlh_cCYIRkkI3Amxvzr2mtlzxMVD-ZG6JwNQqs'.'\n is not supported. 
 The list of supported algorithms is available here: 
 https://aka.ms/IdentityModel/supported-algorithms\r\n   
 at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider
 (SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider)\r\n
 at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForVerifying
 (SecurityKey key, String algorithm, Boolean cacheProvider)\r\n   
 at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
 (Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm,
 SecurityToken securityToken, TokenValidationParameters validationParameters)\r\n
 at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature
 (String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, 
 BaseConfiguration configuration)\r\n'.\ntoken: 'hidden'.."
}

I am very confused by the System.NotSupportedException part. RS256 is clearly supported according to MS-Docs. I am also confused why it mentions a Symmetric security key.

Can someone tell me what this error is exactly saying and what I am doing wrong here?

1 answers

solution1
 0 ACCPTED  2023-04-28 17:21:44

The token is signed using rs256, the key may be provided either via an OpenID configuration endpoint, or by providing the ID of an uploaded certificate (in PFX format) that contains the public key, or the modulus-exponent pair of the public key. See this https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy#token-validation-with-rsa-certificate and this https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy#usage-notes

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure APIM and Websocket JWT Validation Cognito jwt token validation throwing 400 error Azure AD B2C JWT Token Signature Validation Failed Azure APIM Fails to Create API from Function App WSO2 IS 5.11.0/APIM 4.1.0- JWT Token not returning Custom Claims JWT in WSO2 APIM 3.1.0 Azure AD: missing roles claim in jwt token through AAD Azure APIM 503 response for maintenance How do I check if the user from a non-Graph Azure AD token is a member of an email distribution list in an APIM policy Azure APIM throws error for WebSocket API due to Connection: Keep-Alive,Upgrade
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM