Azure-docs: JWT Validation failed
Hi ,
I have set up OAuth2 in my azure apim instance. The applications which I am using are registered in ADB2C tenant. I am getting the access token but it is not a valid token, I am getting below jwt validation error
validate-jwt (70 ms)
{
"message": "JWT Validation Failed: IDX10205: Issuer validation failed. Issuer: 'https://login.microsoftonline.com/2fa002e8-d595-49fb-b4d9-7aa6159af2f6/v2.0'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://sts.windows.net/2fa002e8-d595-49fb-b4d9-7aa6159af2f6/'.."
}
This i s the policy which i am using to validate the jwt token
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/2fa002e8-d595-49fb-b4d9-7aa6159af2f6/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>c9ee90e1-af0c-4f2d-8e3f-9ccfa0da927e</value>
</claim>
</required-claims>
Please let me know how to fix this issue.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 2870d4a9-e204-023a-56a8-c34e56347b43
- Version Independent ID: 846fe3ae-21cb-e030-f68f-db73acef0c74
- Content: Understand the OAuth 2.0 authorization code flow in Azure AD
- Content Source: articles/active-directory/develop/active-directory-protocols-oauth-code.md
- Service: active-directory
- GitHub Login: @CelesteDG
- Microsoft Alias: celested
kspoojary
All 11 comments
Make sure, you do the following
- Include the policy under inbound policy.
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/YOUR_AD_TENANT_ID/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>YOUR_BACK_END_APPLICATION_ID</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
- Make sure the tenant and application id is correct
AshrafAlam
on 30 Jul 2018
That is exactly what I did. But it is failing because of invalid issuer.
kspoojary
on 30 Jul 2018
Is the version parameter included in your second URL?
One value is coming from the discovery document - one value is coming from the token.
Both are "calculated" from the current HTTP request. So my guess is your are somehow using HTTP vs HTPPS in certain situations (or a reverse proxy is terminating the TLS channel in certain cases).
Do you have a reverse proxy/load balancer that is terminating Https?
- This error often occurs because JWT doesn’t match listed in the OpenID Connect configuration information. See: https://coding.abel.nu/2017/12/using-adfs-with-azure-api-management/
Let me know if any of these suggestions help.
MarileeTurscak-MSFT
on 30 Jul 2018
Let me know if this helped!
MarileeTurscak-MSFT
on 1 Aug 2018
If this resolves your issue please let me know. Otherwise I will close this issue out. Please open a new issue or leave a comment if you need further assistance.
MarileeTurscak-MSFT
on 1 Aug 2018
Hi @MarileeTurscak-MSFT Thanks for the response. I resolved this issue by setting the v2 url in function app easy auth settings and also in the APIM JWT validation policy. so now jwt validation is succeeded, but still i am not able to access the back end resource. getting 401 error "you do not have permission to view this directory"
kspoojary
on 1 Aug 2018
For anyone looking, correct v2 url can be found here
and more precisely:
"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0"
narcis-pv
on 9 Jan 2019
I had similar issue and found resolution from Microsoft. This issue is related to application registration in Azure AD, When we register an application its getting registered with version V1 and Access token issuer comes with sts url and if we try to pass Access Token with V2 its failed V2 issuer is login.microsoft.com. so fix is to go in manifest file "accessTokenAcceptedVersion": 2 for all registered applications in AD.
manojsgh
on 10 May 2019
You don't need to edit the manifest, the simple solution is to just list the issuer in the JWT policy:
seekingtheoptimal
on 29 Nov 2019
Hi,
I am having the same issue.
I have followed the thread and verified that in my Application Registration manifest the accessTokenAcceptedVersion": 2
In addition I have added the
<openid-config url="https://login.microsoftonline.com/YOUR_AD_TENANT_ID/.well-known/openid-configuration" />
Now my error is:
System.Exception: Claim value mismatch
While the aud presented in the error is equal to the one i am getting after authentication (validated via jwt.io).
In my code I am referring to https://graph.microsoft.com
orsharon7
on 12 Jan 2020
Hi,
I am having the same issue.
I have followed the thread and verified that in my Application Registration manifest theaccessTokenAcceptedVersion": 2In addition I have added the
<openid-config url="https://login.microsoftonline.com/YOUR_AD_TENANT_ID/.well-known/openid-configuration" />Now my error is:
System.Exception: Claim value mismatch
While the aud presented in the error is equal to the one i am getting after authentication (validated via jwt.io).
In my code I am referring to https://graph.microsoft.com
I have been using the seperator "-" which cause this issue. After deleting it everything resolved.
orsharon7
on 12 Jan 2020
Related issues
ianpowell2017
·
3Comments
varma31
·
3Comments
mrdfuse
·
3Comments
behnam89
·
3Comments
Ponant
·
3Comments
Most helpful comment
I had similar issue and found resolution from Microsoft. This issue is related to application registration in Azure AD, When we register an application its getting registered with version V1 and Access token issuer comes with sts url and if we try to pass Access Token with V2 its failed V2 issuer is login.microsoft.com. so fix is to go in manifest file "accessTokenAcceptedVersion": 2 for all registered applications in AD.