Azure API Management JWT token policy

1
votes

I am trying to setup policy for JWT in Azure portal and I have searched and pasted almost all solutions available in net, but none seem to work. Here is there policy that I have setup:-

<policies>
   <inbound>
      <validate-jwt header-name="Authorization" require-scheme="Bearer">
         <issuer-signing-keys>
            <key>X3IwT3A3bkVfZn40aHkueTBuX2lWd0J6OWNsMjI2Uk9WZw==</key>
         </issuer-signing-keys>
         <decryption-keys>
            <key>X3IwT3A3bkVfZn40aHkueTBuX2lWd0J6OWNsMjI2Uk9WZw==</key>
         </decryption-keys>
         <audiences>
            <audience>api://53cd59c4-53e7-46e6-890b-1dcac2cb2423</audience>
         </audiences>
         <issuers>
            <issuer>https://sts.windows.net/5181d074-dbc6-49e9-9ada-051bc62d5e3e/</issuer>
         </issuers>
         <required-claims>
            <claim name="scope" match="any" separator=" ">
               <value>Files.Read</value>
            </claim>
         </required-claims>
      </validate-jwt>
   </inbound>
   <backend>
      <base />
   </backend>
   <outbound>
      <base />
   </outbound>
   <on-error>
      <base />
   </on-error>
</policies>

Request:

GET https://insyncapim.azure-api.net/api/Product/api/Product HTTP/1.1
Host: insyncapim.azure-api.net
Authorization: Bearer {my JWT token}
Ocp-Apim-Subscription-Key: ••••••••••••••••••••••••••••••••
Ocp-Apim-Trace: true

response:

content-length: 85
content-type: application/json
date: Thu, 12 Nov 2020 09:13:53 GMT
ocp-apim-trace-location: https://apimstu4tludl9hfaq8f2v6o.blob.core.windows.net/apiinspectorcontainer/wEGj7uZ8ebXmIo1P1hgGvw2-16?sv=2018-03-28&sr=b&sig=sQ98cMJe58d6bJcmZ%2BRqGHtn6jk6S13p7ORbFlWkIwI%3D&se=2020-11-13T09%3A13%3A53Z&sp=r&traceId=3f4870770f544ed28962360a04112ef8
vary: Origin
{
    "statusCode": 401,
    "message": "Unauthorized. Access token is missing or invalid."
}

trace:

api-inspector
{
    "request": {
        "method": "GET",
        "url": "https://insyncapim.azure-api.net/api/Product/api/Product",
        "headers": [
            {
                "name": "Ocp-Apim-Subscription-Key",
                "value": {My subscription key}
            },
            {
                "name": "Sec-Fetch-Site",
                "value": "cross-site"
            },
            {
                "name": "Sec-Fetch-Mode",
                "value": "cors"
            },
            {
                "name": "Sec-Fetch-Dest",
                "value": "empty"
            },
            {
                "name": "X-Forwarded-For",
                "value": "182.75.240.158"
            },
            {
                "name": "Cache-Control",
                "value": "no-cache, no-store"
            },
            {
                "name": "Content-Type",
                "value": "text/plain;charset=UTF-8"
            },
            {
                "name": "Accept",
                "value": "*/*"
            },
            {
                "name": "Accept-Encoding",
                "value": "gzip,deflate,br"
            },
            {
                "name": "Accept-Language",
                "value": "en-US,en;q=0.9"
            },
            {
                "name": "Authorization",
                "value": "Bearer {my JWT token}
            },
            {
                "name": "Host",
                "value": "insyncapim.azure-api.net"
            },
            {
                "name": "Referer",
                "value": "https://apimanagement.hosting.portal.azure.net/"
            }
        ]
    }
}

api-inspector
{
    "configuration": {
        "api": {
            "from": "/api/Product",
            "to": null,
            "version": null,
            "revision": "1"
        },
        "operation": {
            "method": "GET",
            "uriTemplate": "/api/Product"
        },
        "user": "-",
        "product": "-"
    }
}

And I am trying to generate the access token using postman, the access token is getting generated. But whenever, I try to request the API using the access token, the result is always 401: Unauthorized. I am trying it for the first time, plz help me out.

1
azure-api-managementjwt-auth
Could you please share the details of how did you generate the access token in postman ? And is this api just need Files.Read permission ?Hury Shen
And could you please share the full trace which location was provided in Ocp-Apim-Trace-Location.Hury Shen
Hi @HuryShen, I got all the credentials from App Registration -> Demo App -> Endpoints. Then, in POSTMAN from the authorization tab, I have selected the OAuth 2.0 -> Get New access token. The access token generated in this step is used for further API requests. I couldn't get any scope related documentation where valid scopes are mentioned and requesting the access token without scope was throwing error. I watched a youtube video he used this scope, so I used this scope.Indranil Saha
It seems you do not know which scope the access token contain. You need to know which permission you want to assign to the app in your azure ad. If you have already assigned the permission to the app and also grant admin consent for it. You can copy your access token to this page and decode the token. Then check if there is a scope field in the decoded token. I guess it may not exists a field in token, the field maybe named scp but not scope.Hury Shen
yes i have decoded the access token and it contains- "scp": "Files.Read profile openid email",Indranil Saha

1 Answers

0
votes

I was having same problem I solved it by unchecking Subscription required. To do it go to Your API management > APIs > Select your API's > Settings > Look for 'Subscription required' and uncheck it.

enter image description here