i wanted to apply some apim policy to do jwt validation for a specific url.
can i apply this policy during live hours ?
When we hit save in apim policy editor does it anyway will block incoming requests and error ?
please advise.
thanks !
From APIM service itself there would be no problems or downtime. Some seconds after you press save new policy will be enforced and new requests will be processed accordingly.
It's a separate question if the policy is configured correctly and if it will cause any service degradation (for example, some requests may result in 401 response because wrong claim is specified in validate-jwt). This is something you need to ensure yourself.
See about APIM support for revisions: https://learn.microsoft.com/en-us/azure/api-management/api-management-get-started-revise-api?tabs=azure-portal It may help you to test things safely in production.
Related
Currently, I am trying to run a trigger on a Logic App on Microsoft Azure, but every time I try, I receive an InvalidAuthorizationTokenTenant error. Let me explain.
So I have a Virtual Machine on Microsoft Azure called StaticReportingVM that runs a service automatically when it is turned on. I am trying to automate the process of turning the machine on and off using a Logic App called startVM. The logic design is below: it has a recurrence task that checks the time of year it is (the task should run at the beginning of every month), it tells the machine to turn on, and notifies me through my personal email whether or not the task has succeeded.
startVM design
startVM parameters
The parameters are correct for my machine and my subscription. However, every time I run the trigger, I get the following error:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant 'https://sts.windows.net/yyyyy-yyyyy-yyyyyy/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/yyyyy-yyyyy-yyyyyy' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
Note that xxxxx-xxxxx-xxxxx is different from yyyyy-yyyyy-yyyyy and the two yyyyy-yyyyy-yyyyys are the same. (Not sure if this helps answer my question but I just want to cover more bases!)
Below is a (poorly edited) image of the connections I have set for the Logic App to work, where the email above is the email registered with my Azure account and the Office 365 email is my personal email to notify me of whether or not the trigger has worked.
startVM connections
I have a few questions about this: why am I getting an InvalidAuthenticationTokenTenant error even though I only am using the one subscription? Is it possible I have multiple tenants under this account and if so how can I delete those tenants? How can I bypass the error and get the logic app working?
P.S. This is my first stackoverflow question so I'm sorry if I am missing any critical details! Any and all feedback is appreciated.
• The way you are trying to trigger a logic app on Microsoft Azure VM for starting a recurrence task and notify you through the personal email address is incorrect. You should create a managed identity for the logic app through which the trigger is configured. Once configured, then assign a new role to the logic app’s managed identity through the VM’s IAM (Identity and Access Management) blade. Once done, then update the ‘Start the Virtual Machine’ task in the logic app to connect using the managed identity created for the logic app.
In this way, your issue should get resolved and you should not receive any error regarding the ‘Tenant token authentication’. Also, you are getting this error because, when you are configuring the ‘StartVM parameters’, the tenant ID is not asked in it, rather only ‘subscription ID’ is asked and the ‘resourceGroup’ is asked. Thus, due to which, if you have atleast ‘Contributor’ role access in more than one tenant linked to each other, then the default tenant ID and the tenant in which your VM us deployed will be different and hence the conflicting error faced regarding it.
• Please find the below snapshot of the configuration for including the managed identity in your logic app design: -
Thus, once you give managed identity of a VM as the connection in the logic app ‘Start VM’ action, the logic app ‘Start VM’ trigger will use the managed identity’s assigned role to the VM as authorization to start the VM and hence the tenant token issue will get resolved.
For more information and clarification on this, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/azure-functions/start-stop-vms/deploy#enable-multiple-subscriptions
I attempted to implement the custom policy to allow phone authentication while setting up Azure ADb2c for my application and tried to follow the instructions present here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/phone-authentication
I completed the prerequisites and believe I have everything setup correctly, but when i try to run the custom policy B2C_1A_SignUpOrSignInWithPhone, I receive a message to my phone number (based out of india) with the verification code, but when I enter the verification code into the browser, i receive an HTTP 400 with too many requests and I'm not sure why. How do I ensure that this feature will be functional if I implement it into my application. Has anyone else faced this issue ? (tried incognito as well)
SOLVED:
Looks like the file "Phone_Email_Base.xml" needed to be edited to include the tenant name in the two and tags. This was not mentioned in the tutorial and therefore took a bit of time to figure out why. I will be forwarding this to microsoft so that they can fix in their documentation.
This is in context of Azure API Management (APIM) Azure service. New UI changes in azure has changed behaviour of policy executions I believe.
I have one policy for jwt-validate set at global level for all APIs.
Recently I had to add new API which doesn't need JWT validation but certificate authentication.
So in APIM I created new API, product and added certificate authentication policy at product level.
When I run my API then JWT policy is also firing. How can I stop it from executing in this case. I removed but it stopped global + product level policy.
I want stop execution of global policy but I want product level policy to execute.
Please advise.
I had the same situation where I needed a specific API to skip a global policy that I had setup for JWT validation. The way that I made it work was by removing the <base /> tag from my API policies.
Of course, this removed all of my global policies not only the JWT-validator. But this was fine for my particular case.
This is not controlled by UI at all and wouldn't have been subject of recent updates. Policy chain is controlled with tag in policies. At operation level tag invokes API policy, at API it invokes Product, at product - global. If you remove from policy document chain will be broken and base policy invocation will not happen. So if for certain product you do not want global policy be invoked for every call - just remove from product policy.
Is there a way to disable Ocp-Apim-Trace in the Azure API Management Services?
There is no way to disable tracing funtionality, not sending this header will disable tracing collection for one request only. But do know, that only admin users are capable of collecting traces, if this header is supplied along with subscription key that does not belong to admin account (or no subscription key at all) no traces will be collected. The idea here is that traces may expose information service owner may not be willing to share with developers.
As well as doing what Vitaliy suggests, you could additionally strip the Ocp-Apim-Trace-Location header from the response in the outbound and error sections as insurance.
I am trying out the Azure AD-B2C. The user signup/sign in is fine when the MFA is turned off. But when I turn it on, and the user tries to sign in and provides the phone number, and requests a text message by clicking "send code", I get the Http 400 error: size of request headers is too long. Anybody else have this issue?
The error HTTP 400: Size of header request is too long generally happens because there's too many cookies.
Azure AD B2C's login goes through login.microsoftonline.com, as does almost every Microsoft service (O365, Azure, etc). So if you've got several accounts that you've signed in to across these services, you're accumulating cookies that will cause this problem.
Clearing the cookies should resolve this problem. If this is happening on a recurring basis, you should edit your question to include details about the request and cookies in order to best figure out what's bloating the request and how to reduce it.
Short answer: The file with the custom UI was not found by Microsoft login service. After getting shipped around it resulted in the error.
I had the same error with AAD B2C but "cookies" was not the problem. In my case I got the error while testing in the Azure B2C portal checking the policies and the custom UI pages. We use Azure Blob storage to hold custom login setup, its fast and it scales without our attention. The problem was found by using my test website using the B2C service. I put a stop/break on the Account controller's "public Task OnRemoteFailure(RemoteFailureContext context)" method. The debugger message gave me the full context of the error, an http 404 error and it gave the file name it was trying to find. Blob storage is case sensitive. The setup configuration used to configure B2C has camelCase names. The group who created the actual UI customization uses all lower case names. It took someone with access to all the assets to find the simple case name issue. Errors in distributed systems can be difficult.