What do key, audience, claim, and issuer mean for OAuth2 in Azure's <validate-jwt> tag?

0
votes

I am trying to configure an API in Azure so that it uses OAuth2 to validate calls to the API. The OAuth2 server has been set up and linked as per instructions I have found online. However, I am having trouble in checking the tokens on the API side. FOr this, I have found a tutorial online at: https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies

Here the following template is given to add to your APIs inbound checks to validate the JWT:

<validate-jwt   
    header-name="name of http header containing the token (use query-parameter-name attribute if the token is passed in the URL)"   
    failed-validation-httpcode="http status code to return on failure"   
    failed-validation-error-message="error message to return on failure"   
    require-expiration-time="true|false"
    require-scheme="scheme"
    require-signed-tokens="true|false"   
    clock-skew="allowed clock skew in seconds">  
    <issuer-signing-keys>  
        <key>base64 encoded signing key</key>  
        <!-- if there are multiple keys, then add additional key elements -->  
    </issuer-signing-keys>  
    <audiences>  
        <audience>audience string</audience>  
        <!-- if there are multiple possible audiences, then add additional audience elements -->  
    </audiences>  
    <issuers>  
        <issuer>issuer string</issuer>  
        <!-- if there are multiple possible issuers, then add additional issuer elements -->  
    </issuers>  
    <required-claims>  
        <claim name="name of the claim as it appears in the token" match="all|any" separator="separator character in a multi-valued claim">
            <value>claim value as it is expected to appear in the token</value>  
            <!-- if there is more than one allowed values, then add additional value elements -->  
        </claim>  
        <!-- if there are multiple possible allowed values, then add additional value elements -->  
    </required-claims>  
    <openid-config url="full URL of the configuration endpoint, e.g. https://login.constoso.com/openid-configuration" />  
    <zumo-master-key id="key identifier">key value</zumo-master-key>  
</validate-jwt>

As it is not explicitly stated anywhere, can anyone please shed light on what the key, audience, claim, and issuer values mean and where I can find this information?

1
azureoauth-2.0jwt

1 Answers

0
votes

It seems you missed them in the article you mentioned.

issuer-signing-keys: A list of Base64-encoded security keys used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or until one succeeds (useful for token rollover). Key elements have an optional id attribute used to match against kid claim.

audiences:Contains a list of acceptable audience claims that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified.

required-claims:Contains a list of claims expected to be present on the token for it to be considered valid. When the match attribute is set to all every claim value in the policy must be present in the token for validation to succeed. When the match attribute is set to any at least one claim must be present in the token for validation to succeed.

issuers:A list of acceptable principals that issued the token. If multiple issuer values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds.

For more details, refer to this link.