This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Validating JWT generated from Azure AD

Posted on 08-07-2018 09:49 PM
Not applicable
Reply posted on --/--/---- --:-- AM

@Dino

I have a Java program which validates Azure generated JWT with following parameters

1. Token

2. App ID

3. Tenant ID

I have looked at your suggested videos for ODIC as well as watched videos

Unfortunately I am not able to do the same using VerifyJWT token policy in Edge.

My need is to ensure the all apis are protected for internal users , however the user store and authentication happens through Azure AD

I keep getting Invalid Token error all the time.

Solved Solved
0 17 8,589
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
reinier_vanderh
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Raj,

We use Azure AD tokens as well. We have the following policies in place to do this:

1. Retrieve keys from MS:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout async="false" continueOnError="false" enabled="true" name="SC-RetrieveMicrosoftKeys">
    <DisplayName>SC-RetrieveMicrosoftKeys</DisplayName>
    <Properties/>
    <Request clearPayload="true" variable="myRequest">
        <Set>
            <Verb>GET</Verb>
        </Set>
        <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    </Request>
    <Response>msKeys</Response>
    <HTTPTargetConnection>
        <Properties/>
        <URL>https://login.microsoftonline.com/XXXX-TENNANTID-XXXX/discovery/v2.0/keys</URL>
    </HTTPTargetConnection>
</ServiceCallout>

2. Extract JWT from header:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables name="Extract-JWT-Assign-Message" enabled="true" async="false" continueOnError="false">
    <Source>request</Source>
    <Header name="Authorization">
        <Pattern ignoreCase="false">Bearer {jwt}</Pattern>
    </Header>
    <VariablePrefix>authn</VariablePrefix>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</ExtractVariables>

3. Verify JWT:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="true" enabled="true" name="VerifyJWT">
    <DisplayName>VerifyJWT</DisplayName>
    <Algorithm>RS256</Algorithm>
    <Source>authn.jwt</Source>
    <PublicKey>
        <JWKS ref="msKeys.content"/>
    </PublicKey>
    <Issuer>https://sts.windows.net/XXXX-TENNANTID-XXXX/</Issuer>
    <Audience ref="aud"/>
    <AdditionalClaims>
        <Claim name="roles" ref="active-directory.jwt.roles" type="string" array="true"/>
    </AdditionalClaims>
</VerifyJWT>

We use a roles claim to check if the user has the roles claim in their token

We also cache the MS keys but I left that out because it does not impact your question.

Hope this helps!

View solution in original post

Jump to Solution
17 REPLIES 17
Top Solution Authors
View all