Getting JWT for Service Account in Azure Active Directory
Getting JWT for Service Account in Azure Active Directory
Protect Function App can use Microsoft identity platform endpoint for identity-as-a-service, available in Azure Active Directory, to implement OpenID Connect and OAuth 2.0 authorization. This section describes how to get JWT using OAuth 2.0 client credentials grant flow in Azure Active Directory and authorize the Client ID in Protegrity Policy.
Note
Protect Function App and Azure Active Directory support more authorization methods, and the correct procedure should be chosen based on the use case.Suggested reading: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
High-level design:
- Active Directory Admin creates App registration for the service account.
- Active Directory Admin gives consent for the Service Account App ID.
- Daemon uses the Service Account App ID and the Service Account App ID Secret or Certificate, Protect Function App ID as the scope, and gets back the Access Token (JWT).
- Daemon sends the request to the Protect Function App, including the access token in the Authorization Bearer header.
Configure the Protect Function App:
From the Azure console, navigate to Function App service and select protect function app.
Navigate to Settings > Environment variables and click OPENID_ENABLED. Make sure it is set to true.
Click on OPENID_AUDIENCES, make sure it is set to the App ID recorded in EntraIDApplicationID.
Click or Add the authorization environment variable. Make sure it is set to jwt.
Click or Add on jwt_user_claim environment variable, make sure it is set to [“azp”, “appid”]. For more information on claims on AAD access token, refer:
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
To register a Service Account:
In the Azure portal navigate to Azure Active Directory.
Under Manage, select App registrations > New registration.
Enter a Name and select Accounts in any organizational directory.
Redirect URI is set to http://localhost.
Select Register.
After registration is complete record Application ID and Directory (tenant) ID displayed in the overview window:
Service Account App ID: ___________________
Directory (tenant) ID: ___________________
In the Azure portal, in App registrations, select your application.
Select Certificates & secrets > New client secret.
Add a description for your client secret.
Select a duration.
Click Add.
Record the secret’s value for use in your client application code. This secret value is never displayed again after you leave this page.
Service Account App Secret: ___________________
For more information on app registration, see Azure documentation Quickstart Registering App
Admin Consent the Service Account:
https://login.microsoftonline.com/{tenant}/adminconsent?
client_id={Service Account App ID}
&state=12345
&redirect_uri=http://localhost
Replace the tenant and the Service Account App ID with the values recorded in the previous step. At this point, Azure AD enforces that only a tenant administrator can sign into complete the request. The administrator will be asked to approve all the direct application permissions that were requested for the app in the app registration portal.
Get the access token
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id={Service Account App ID}&scope={EntraIDApplicationID }%2F.default&client_secret={Service Account App Secret}&grant_type=client_credentials' 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token'
Replace Service Account App ID, EntraIDApplicationID, Service Account App Secret, and tenant with values recorded in previous steps.
Example for successful response:
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
\
Record the access_token from the response. access_token: ___________________
Tip
The access token content can be reviewed at https://jwt.ms.Note
Ensure that the claims azp or appid are included in the JWT and that the value exists in the policy as user with protect permissions.Use the token
curl -X POST "https://<Protect hostname>/api/v1/protect" -k \
-H 'x-functions-key: <Protect Function app key>' \
-H 'Authorization: Bearer <access_token>' \
-H 'Content-Type: application/json' \
-d '{
"data": ["hello world!"],
"data_element": "alpha"
}'
Replace the {Protect hostname}, {Protect Function app key} and {access_token} with the.
Troubleshooting:
- Service Account App ID redirect URL matches the redirect URL in the request for admin consent.
- Active Directory administrator does admin consent.
- JWT aud claim is the same as OPENID_AUDIENCES.
- JWT iss claim is the same as OPENID_ISSUERS.
- Protect Function configuration authorization=JWT
- At least one of thejwt_user_claim exists in the JWT
- The user claim in the token has permissions to make protect request.
- The data element exists in the Protect Function App current policy.
- JWT is not expired
Feedback
Was this page helpful?