Azure Question posted in
The official documentation to get you started can be found here.

Azure – API Manager OAuth server generates wrong audience claim

I have set up a backend-app, client-app and OAuth server in API Manager pretty much according to example. Currently the OAuth server and both app registrations are set up to use v2 endpoints. Currently the default scope of the OAuth server is set to api://<backend-app client ID>. This is also the value of the audience tag in validate-jwt policy. I have no required-claims in the validate-jwt policy. For each change in config I re-authorize in the test console try-it modal.

It seems like no matter how much I fiddle with the parameters, the aud claim of the token received by the developer portal test console is "aud": "00000003-0000-0000-c000-000000000000",.

What am I doing wrong?

EDIT:

I realized I have to publish changes to the developer portal. I was also wrongly assuming that I needed no scope in the API, since I am developing an API that is to be called by a daemon app only (using app roles). After setting a test scope in the app registrations, granting admin consent, and publishing the developer portal, the token carries the correct aud claim. I still get 401 however, but assume that is a different question.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    During my initial attempts I failed to do two things:

    1. Republish developer portal after changing API
    2. Set a valid, non-default app scope in both app registrations

    The reason for not setting a scope beyond the default scope of the API App reg., was that the API is intended being called by a daemon app only. Unless I misunderstand things further, calling a protected API from the developer test portal requires a delegated permission (scope), because the developer authorizes interactively upon fetching the OAuth token.

    NB! Not answering question directly, but I had to remove api:// part of <audience> definition in JWT-validate policy for token to be authorized. Using 2.0 endpoint.


  2. 0

    I have added OAuth 2.0 as shown below-

    enter image description here
    enter image description here
    enter image description here

    Add Authorization code grant flow URL in Authorization of your registered app.

    enter image description here

    Then I enabled OAuth 2.0 in API’s setting.

    enter image description here

    Added validate-jwt policy.

    <policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://login.microsoftonline.com/{tenant_Id}/v2.0/.well-known/openid-configuration" />
            <audiences>
                <audience>api://{client_Id}</audience>
            </audiences>
            <issuers>
                <issuer>https://sts.windows.net/{tenant_Id}/</issuer>
            </issuers>
            <required-claims>
                <claim name="aud" match="all">
                    <value>api://{client_Id}</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

    I tested this configuration in portal before trying it in developer portal by providing the bearer token manually in the request header and it worked.

    enter image description here
    enter image description here

    Trace

    enter image description here

    Try to test it in portal first before moving to Developer portal and if you get any error then check in Trace.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search