BUG : Unexpected JWT Validation Exception - IDX10205: Issuer validation failed #10532
Comments
|
Running into exactly the same issue with the above mentioned runtime version. Please advise on possible resolution. The dependencies are as follows: <PackageReference Include="AspNetCore.HealthChecks.CosmosDb" Version="8.0.1" />
<PackageReference Include="Azure.Storage.Blobs" Version="12.22.2" />
<PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.22.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="8.0.2" />
<PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.23.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.2.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.3.2" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus" Version="5.22.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.18.1" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="1.4.0" />
<PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="8.0.10" />` |
|
Also running into the same issue.
|
|
Hi there! We also can confirm the issue. Using .NET8 Isolated with the following Functions Runtime version: 4.1036.3.23284 Some of our 'old' functions using .NET6 in process are on a very different runtime version: 4.636.0.23246 where the issue doesn't manifest itself. Since this morning we are facing this 'exception' in Application Insights:
|
|
I am also seeing this issue in a Function App on .NET 8 Isolated runtime version 4.1036.2.2 that started yesterday. |
|
We are also experiencing this issue on .net 8 isolated. Started yesterday (2024-10-30T05:07:32.0527717Z): |
|
We are also seeing the same issue. For added details, we have the same the identical .NET8-Isolated build artifact deployed to 2 function app instances, one of which is still on an older runtime version:
|
|
Hi all, we are also facing this for out .Net 8 isolated function app. Is there are any resolution for this ? |
|
Same here. Runtime version '4.1036.3.23284' is causing the 'IDX10205: Issuer validation failed.' errors. |
|
We have found this to be a problem with the AAD Graph to MS Graph transition accidentally breaking the contract in OAuth2 by changing the issuer. See here: The way Enterprise Application manifest is processed for the App registration for the hosted function means that the client will default to using the This is fixable by force setting the for Make sure this is matched in your Easy Auth configuration in App Service. The below snippet forces the value of the issuer to 1, which was the original implicit default. $body = '{\"api\":{\"requestedAccessTokenVersion\":1}}'
& az rest --method PATCH `
--url "https://graph.microsoft.com/v1.0/applications/$objectId" `
--headers Content-Type=application/json `
--body ($body)Can post more detail on request - but this is our good summary. |
|
@sjhawke thank you for the helpful response. My app does not use Easy Auth. It is configured with a user-assigned managed identity. What would |
Hi - it would be the application id in AAD that is assigned to your service. Check your configuration for the appId in your directory and look it up to find the objectId. It is the .id field in the record and should be a guid. Bear in mind that your managed identity is not the same as an application in AAD/Entra. MSID/User assigned Id is a service principal which is a different kind of entity in the directory and is usually a client, not a service. Note: This has not fully resolved our issue. |
|
We tried updating |
|
We have been having this issue as well, this started 2 weeks ago in our East US region but has now spread to our other regions as well. They are all running version 4.1036.3.23284. I forcefully set the FUNCTIONS_EXTENSION_VERSION to 4.36.0.23246 (without the ~). This has fixed the issue for now. Hopefully this issue will be resolved. |
|
Thank you all for reporting. We're actively looking at this and will provide updates as more information is available. |
|
If you're experiencing this issue, can you please share an invocation ID, time range when the problem occurred and the region your application is running in? Thank you! |
053cfb15-6bad-4466-bf02-51bd29f7d05c - 04/11/2024, 19:32:24.7446117 (UTC/GMT) - UK South |
|
I just noticed that our Exception is not exactly the same as mentioned in this issue. We are getting 'Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException' exceptions. Invocation Id 'e0ca6f5a-41ed-4b4e-97a3-36d9358dc120' in West Europe 11/5/2024, 8:19:43.1806979 AM. Do you want me to create a separate issue for this since it is a different Exception? |
|
Hi! Having the same problem on Azure functions for Node. SDK version 4.1036.3.23284 Invocation ID 1b024620d0dc4d61bebf92e6a1b710e9, West Europe on 2024-11-05T07:48:12.8156859Z. Fortunately the exception is only logged and doesn't crash the app for now... |
Recent Azure Functions Deployment is appearing to perform Token Validation resulting in "IDX10205: Issuer validation failed" log level message. JWT auth is not configured or expected. Earlier runtime version 4.35 did not exhibit this behaviour. Redeploying of the same code (no issue) with runtime 4.35, new deployment defaults to latest runtime 4.136 will produced this error.
Azure App Service with EasyAuth on / off does not change this behavour.
I should not experience JWT validation issues.
Runtime Stack: DOTNET-ISOLATED|8.0
Runtime/SDK Version: 4.1036.2.2
OS: Linux
Plan: Premium V2
Region: WEU & UKS
Error : IDX10205: Issuer validation failed.
Exception Type : Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException:
at Microsoft.Extensions.DependencyInjection.ScriptJwtBearerExtensions.IssuerValidator (Microsoft.Azure.WebJobs.Script.WebHost, Version=4.1036.0.0, Culture=neutral, PublicKeyToken=null: /src/azure-functions-host/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs:152)
at Microsoft.IdentityModel.Tokens.Validators+d__7.MoveNext (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignatureAndIssuerSecurityKey (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
Packages used.
Function Header
public async Task Run
(
[HttpTrigger(AuthorizationLevel.Anonymous, "POST", Route = "Test/Test")]
HttpRequest httpRequest
) => ...
The text was updated successfully, but these errors were encountered: