CODEWITHSUNDEEP
jwtazure-functionsazure-api-managementazure-managed-identityazure-identity
prakashrajansakthivel
prakashrajansakthivel

Reputation: 2042

unable to use validate jwt in APIM for managed Identity token

We have a validate jwt policy in APIM to validate jwt token. we are generating token from our function app using the azure.identity library. till now we were using system assigned identity for generating the token using the below method.

var tokenCredential = new DefaultAzureCredential();
var accessToken = await tokenCredential.GetTokenAsync(
new TokenRequestContext(scopes: new string[] { "https://management.azure.com" + "/.default" }) { });

token is generated successfully. and we are able to successfully validate the token in the policy. below is the APIM xml policy.

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Invalid or Expired token" require-expiration-time="true" require-signed-tokens="true">
 <openid-config url="https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration" />
                <audiences>
                    <audience>https://management.azure.com</audience>
                </audiences>
                <issuers>
                    <issuer>https://sts.windows.net/tenantid/</issuer>
                </issuers>
                <required-claims>
                    <claim name="oid" match="any">
                        <value>objectid of the managed identity/system assigned</value>
                    </claim>
                </required-claims>
            </validate-jwt>

now we have assigned the user managed identity and assigned the identity to the function app with the below code I am able to generate the token but in APIM it was throwing weird error.

var azureServiceTokenProvider = new ManagedIdentityCredential(clientId: "client-id-of-managed-identity-id");
accessToken = await azureServiceTokenProvider.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { "https://management.azure.com" + "/.default" }));

APIM is telling

"JWT Validation Failed: IDX10501: Signature validation failed. Unable to match key: \nkid: ''.\nExceptions caught:\n ''.

any idea on how to overcome this ?

Upvotes: 0

Views: 1309

Answers (1)

prakashrajansakthivel
prakashrajansakthivel

Reputation: 2042

I have updated my code to use DefaultAzureCredential instead of ManagedIdentityCredential and it started working.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
                { ManagedIdentityClientId = "managed_identity_clinet_id" });
AccessToken accessToken = await credential.GetTokenAsync(
                    new TokenRequestContext(scopes: new string[] { "https://management.azure.com" + "/.default" }) { });

I passed the client ID of the managed Identity and able to proceed with the generated token.

Upvotes: 0

Related Questions