Reputation: 5458
How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management
I can successfully validate JWT signed with HS256 using validate-jwt policy in Azure API management by setting the <issuer-signing-keys> attribute. But how can I validate JWT signed with RS256? I tried put the public key or certificate in <issuer-signing-keys> but it does not work.
Upvotes: 3
Views: 2989
Answers (2)
Reputation: 46
I was able to validate such a token with the following policy
<issuer-signing-keys>
<key certificate-id="my-rsa-cert" />
</issuer-signing-keys>
You can do that with the following steps:
Create a certificate with the commands below
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfxLoad the certificate "Local.pfx" on the API management with id "my-rsa-cert".
Generate the tokens from the certificate with the code below
///////////////////////////////////////////// // Token Generation var CLIENT_ID = "Local"; var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279"; var filePath = @"..\..\..\Cert\Local.pfx"; var x509Certificate2 = new X509Certificate2(filePath, "<certpwd>"); var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest var tokenHandler = new JwtSecurityTokenHandler(); var originalIssuer = $"{CLIENT_ID}"; var issuer = originalIssuer; DateTime utcNow = DateTime.UtcNow; DateTime expired = utcNow + TimeSpan.FromHours(1); var claims = new List<Claim> { new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer), new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer), new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer), new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer), new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer) }; ClaimsIdentity subject = new ClaimsIdentity(claims: claims); var tokenDescriptor = new SecurityTokenDescriptor { Subject = subject, Issuer = issuer, Expires = expired, //TokenIssuerName = "self", //AppliesToAddress = "https://www.mywebsite.com", //Lifetime = new Lifetime(now, now.AddMinutes(60)), SigningCredentials = signingCredentials, }; JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; jwtToken.Header.Remove("typ"); var token = tokenHandler.WriteToken(jwtToken); this.Output = jwtToken.ToString(); this.Output += "\r\n" + token.ToString(); JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; jwtToken.Header.Remove("typ"); var token = tokenHandler.WriteToken(jwtToken);send requests to the API with the generated Bearer Tokens
Upvotes: 1
Reputation: 633
At the moment the only way to validate rsa-signed tokens is with openid url.
Upvotes: 5
Related Questions
- Verifying JWT signed with the RS256 algorithm using public key in C#
- Validate JWT in Azure APIM policy
- Regarding azure api manager validate-jwt policy schema. The schema does not match a documentation reference to <id> attribute in issuer-signing-keys
- How can I sign a JWT with RSA SHA256 in an Azure API Management Policy Expression?
- Azure ApiM unable to create jwt token validation policy with RSA certificate
- Azure API Management - Validate-JWT - disable certificate validation
- XML syntax help while creating Azure API Management policy
- Azure Api Management ValidateJWT With Rs256 PrivateKey