Share via

Problem configuring azure event grid JWT authentication

Mohammad Alinia 20 Reputation points
2024-12-24T06:18:51.7633333+00:00

I am trying to configure Azure Event Grid's JWT authentication. My tokens are coming from auth0 and I need Event Grid to validate them against the auth0 certificate. Now when I download the certificate from auth0 it only includes the public key (which should be just enough to validate the tokens). But when trying to upload the same certificate to Key Vault, it does not accept it from me because it does not contain the private key. How can I get around this issue?

Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
411 questions
Accepted answer
  1. Khadeer Ali 1,630 Reputation points Microsoft Vendor
    2024-12-30T23:51:44.8066667+00:00

    @Mohammad Alinia ,

    Welcome to the Microsoft Q&A!

    Thanks for the patience! Following up on your question regarding JWT token validation with Azure Event Grid Namespace, I've received confirmation from our Event Grid SME team.

    Azure Event Grid Namespace offers the ability to validate JWT tokens using custom settings. Specifically, you can provide your public key for validation using the CustomJwtAuthenticationSettings. This is available via the Azure CLI and the 2024-12-15-preview API version.

    There are two options for providing the certificate information:

    Using Azure Key Vault (AKV): You can reference certificates stored in AKV by providing the certificate URL and a managed identity.

    Providing the Public Key Directly (Non-AKV): You can directly provide the public key in PEM format. This is the option you were inquiring about.

    Here's a snippet illustrating both options:

    "customJwtAuthentication": {
  "tokenIssuer": "issuer-name",
  // AKV option
  "issuerCertificates": [
    {
      "certificateUrl": "<AKV cert url>",
      "identity": {
        "type": "SystemAssigned"
      }
    }
  ],
  // Non-AKV option for specifying certificates with public key
  "encodedIssuerCertificates": [
    {
      "kid": "key1",
      "encodedCertificate": "<certificate in PEM format>"
    }
  ]
}

    As you can see, the encodedIssuerCertificates array allows you to specify the public key directly using the encodedCertificate field (PEM format) and associate it with a key ID (kid).

    For more details, you can refer to the official documentation: Namespaces - Create Or Update - REST API (Azure Event Grid) | Microsoft Learn

    Please let me know if you have any further questions.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 15,006 Reputation points
    2024-12-27T18:24:27.9566667+00:00

    Hello Mohammad Alinia,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having problem configuring azure event grid JWT authentication.

    Check the following steps:

    1. Auth0 provides a JSON Web Key Set (JWKS) endpoint that contains the public keys needed for token validation and retrieve the JWKS URL from your Auth0 tenant under the "Advanced Settings" of the API or application.
    2. Configure the Event Grid subscription to validate JWTs directly using the JWKS endpoint:
      1. Go to the Azure Portal, navigate to your Event Grid subscription.
      2. Under "Advanced Filters," select "Add Filter."
      3. Choose "Token Validation" and provide the JWKS endpoint URL.
    3. Convert the Auth0 public key to a format acceptable by Key Vault:
      1. Auth0's public key is typically provided in PEM format. Convert it into a certificate using the following OpenSSL commands using bash: 
                    openssl req -new -x509 -keyout private.key -out auth0_cert.pem -days 365 -nodes
             openssl x509 -in auth0_cert.pem -pubkey -noout > auth0_public.pem
        The auth0_cert.pem file can now be uploaded to Azure Key Vault.
      2. Upload the public key certificate to Key Vault:
        1. Navigate to the Key Vault in the Azure Portal.
        2. Select "Certificates" -> "Generate/Import" -> "Import."
        3. Upload the auth0_cert.pem file.
    4. Configure Event Grid to use the uploaded certificate for JWT validation. Ensure the "Key Identifier" of the certificate matches the one expected in the tokens.

    Read more of the following links to get more steps:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.