How to get jwt token for authentication in azure apim endpoint through Microsoft Actionable Message Card?

Luís Coelho 0 Reputation points
2023-10-18T09:52:19.91+00:00

We are developing an Actionable Message Card that calls an Azure APIM endpoint, but we are having problems authenticating, the response is always 401-Unauthorized.

This is the configuration of the Accept action:

"type": "Action.Http",
"id": "Accept",
"title": "Approve",
"method": "POST",
"url": "{foo_url}",
"body": "{bar_body}",
"headers": [
    {
        "name": "Authorization",
        "value": "{bearer token}"
    },
    {
        "name": "Content-type",
        "value": "application/json"
    },
    {
        "name": "Ocp-Apim-Subscription-Key",
        "value": "{foo_ocp-sub-key}"
    }
],
"isPrimary": true,
"style": "positive"

On the Azure APIM side:

The API security setting "User Authorization" is set to "No", however the jwt token is validated in the inbound policies. We are not sure this is the best approach, but it is what it is. We are open to suggestions about this as well. -Unauthorized. Even when using the same bearer token that works in the Postman request.

Using the same headers as in the action configuration in Postman, we have successfully called the API endpoint, but when pressing the "Approve" button in the Actionable Message Card the response is always 401-Unauthorized. Even when using the same bearer token that works in the Postman request.

Do you have any ideas about what could be causing this? And how to overcome it?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,205 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,901 questions
Outlook
Outlook
A family of Microsoft email and calendar products.
3,318 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,035 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sonny Gillissen 3,351 Reputation points
    2023-10-21T19:18:38.9033333+00:00

    Hi Luís Coelho ,

    Thank you for reaching out on Microsoft Q&A!

    First off: checking your JWT in the inbound policy is the correct way, as there is no other way to validate it. So this part is correct :-)

    When it comes to validating a call from Adaptive Cards you have to keep in mind that this call is routed through a backbone network from Microsoft, with its own tokens. So you should not check your token, but the tokens that are used by the backbone.

    The code snippet below shows you how you can achieve this:

    <validate-jwt header-name="Authorization" failed-validation-error-message="You are not authorized to perform this call" require-scheme="Bearer">
    <openid-config url="https://substrate.office.com/sts/common/.well-known/openid-configuration" />
    <issuers>
        <issuer>https://substrate.office.com/sts/</issuer>
    </issuers>
</validate-jwt>

    Please click “Accept answer” if you find this helpful. Feel free to drop additional queries in the comments below!

    Kind regards,

    Sonny

    1 person found this answer helpful.