hello,
I would like to secure an api with openidconnect Azure AD B2C.
I have provided the issuer url (https://mydomain.com/myADid/v2.0) and clientid which are identical to the JWT token provided.
I have an error message:
Failure while decoding the configuration retrieved from endpoint https://mydomain.com/myADid/v2.0/.well-known/openid-configuration.
The correct url to validate the token should be https://mydomain.com/myADid/v2.0/.well-known/openid-configuration?p=b2c_1_signup_signin
where b2c_1_signup_signin is the name of my policy in AzureAD.
How can I pass this parameter?
Hello Nmejane,
The configuration for the OpenID Connect Authentication doesn’t provide a parameter for you to specify your OpenID Connect metadata document URL, which makes it difficult to change what’s assumed by the Gateway. Although using the value generated based on the Issuer would work for some IDPs with predictable URL schemes like Auth0 and the likes, but may fall short for others like in your case.
So on that note, I would recommend you use the JWT Authentication instead, which performs an even better form of JWT validation than OpenID Connect and covers a wide range of IDPs. The basic configurations required are a URL to your JSON Web Key Set (jwks_url) and a default Tyk Policy ID. I have attached a screenshot of a working configuration as well as its API Definition:
……
“enable_jwt”: true,
“jwt_signing_method”: “rsa”,
“jwt_source”: “aHR0cHM6Ly9sZWFkYW5nZWwuYjJjbG9naW4uY29tL2xlYWRhbmdlbC5vbm1pY3Jvc29mdC5jb20vZGlzY292ZXJ5L3YyLjAva2V5cz9wPWIyY18xX3NpZ25pbnNpZ251cA==”,
“jwt_policy_field_name”: “pol”,
“jwt_identity_base_field”: “sub”,
“jwt_default_policies”: [
“6274faa757ee790001e475fe”
],
……
NB: if you are configuring your APIs via its definition, the jwt_source parameter is the JSON Web Key Set (jwks_url) in base64 formation. You can obtain this URL from your OpenID Connect metadata document Link, which should be https://mydomain.com/myADid/discovery/v2.0/keys?p=b2c_1_signup_signin in your case.
So let me know how it goes.
