How to validate JWT signed with RS256 Algorithm with validate-jwt policy in Azure API management

3
votes

I can successfully validate JWT signed with HS256 using validate-jwt policy in Azure API management by setting the <issuer-signing-keys> attribute. But how can I validate JWT signed with RS256? I tried put the public key or certificate in <issuer-signing-keys> but it does not work.

2
azurejwtazure-api-management

2 Answers

5
votes

At the moment the only way to validate rsa-signed tokens is with openid url.

0
votes

I was able to validate such a token with the following policy

<issuer-signing-keys>
    <key certificate-id="my-rsa-cert" />
</issuer-signing-keys>

You can do that with the following steps:

  1. Create a certificate with the commands below

    openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
    openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfx

  2. Load the certificate "Local.pfx" on the API management with id "my-rsa-cert".

  3. Generate the tokens from the certificate with the code below

     /////////////////////////////////////////////
 // Token Generation
 var CLIENT_ID = "Local";
 var ISSUER_GUID = "b0123cec-86bb-4eb2-8704-dcf7cb2cc279";

 var filePath = @"..\..\..\Cert\Local.pfx";
 var x509Certificate2 = new X509Certificate2(filePath, "<certpwd>");

 var signingCredentials = new X509SigningCredentials(x509Certificate2, SecurityAlgorithms.RsaSha256Signature); //, SecurityAlgorithms.Sha256Digest
 var tokenHandler = new JwtSecurityTokenHandler();

 var originalIssuer = $"{CLIENT_ID}";
 var issuer = originalIssuer;

 DateTime utcNow = DateTime.UtcNow;
DateTime expired = utcNow + TimeSpan.FromHours(1);

 var claims = new List<Claim> {
         new Claim("aud", "https://login.microsoftonline.com/{YOUR_TENENT_ID}/oauth2/token", ClaimValueTypes.String, issuer, originalIssuer),
         new Claim("exp", "1460534173", ClaimValueTypes.DateTime, issuer, originalIssuer),
         new Claim("jti", $"{ISSUER_GUID}", ClaimValueTypes.String, issuer, originalIssuer),
         new Claim("nbf", "1460533573", ClaimValueTypes.String, issuer, originalIssuer),
         new Claim("sub", $"{CLIENT_ID}", ClaimValueTypes.String, issuer, originalIssuer)
     };

 ClaimsIdentity subject = new ClaimsIdentity(claims: claims);

 var tokenDescriptor = new SecurityTokenDescriptor
 {
     Subject = subject,
     Issuer = issuer,
     Expires = expired,

     //TokenIssuerName = "self",
     //AppliesToAddress = "https://www.mywebsite.com",
     //Lifetime = new Lifetime(now, now.AddMinutes(60)),
     SigningCredentials = signingCredentials,
 };

 JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
 jwtToken.Header.Remove("typ");
 var token = tokenHandler.WriteToken(jwtToken);

 this.Output = jwtToken.ToString();
 this.Output += "\r\n" + token.ToString();


 JwtSecurityToken jwtToken = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
 jwtToken.Header.Remove("typ");
 var token = tokenHandler.WriteToken(jwtToken);

  4. send requests to the API with the generated Bearer Tokens