'How to add decryption values for jwt and easyauth for azure functions

I have an Azure AD app registration that encrypts the JWT tokens it creates and this works well for API management. i decrypt and validate the token in API management with the following policy:

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401">
        <openid-config url="https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration" />
        <decryption-keys>
            <key certificate-id="jwts" />
        </decryption-keys>
        <audiences>
            <audience>!redacted!</audience>
        </audiences>
        <issuers>
            <issuer>!redacted!</issuer>
        </issuers>
        <required-claims>
            <claim name="roles" match="any">
                <value>Accounts.Read.All</value>
            </claim>
        </required-claims>
    </validate-jwt>

however, when I forward the request to the function app with easyauth enabled I get the following error:

{
  "code": 401,
  "message": "IDX10609: Decryption failed. No Keys tried: token: '[PII is hidden]'."
}

this makes sense because I haven't specified the decryption key anywhere but I can't seem to find the setting for this value anywhere? does anyone know how to do this?



Solution 1:[1]

Please check in case if any of the following are causes

  • Please check if you have passed App ID in the allowed audiences >: api://{Azure Function AD App Id }.
  • Try giving authentication level as anonymous .Also check if function key is given if the authentication level is not anonymous in your case. Adding Authentication to Your HTTP Triggered Azure Functions - DZone Security
  • Also after the token is received check its issuer endpoint and see if the accesstokenacceptedversion has the same version.
  • And check if you need to turn on the system managed identity in apim and change the inbound access policy to the same in the apim.

References:

  1. Working with Azure Functions and (APIM) offering (majorguidancesolutions.com)
  2. Securing your Azure Functions App with API Management - Cloud management at your fingertips (mscloud.be)
  3. using-msal-net-to-call-an-azure-function-app-with-easy-auth-enabled

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1