BUG : Unexpected JWT Validation Exception - IDX10205: Issuer validation failed #10532
Comments
|
Running into exactly the same issue with the above mentioned runtime version. Please advise on possible resolution. The dependencies are as follows: <PackageReference Include="AspNetCore.HealthChecks.CosmosDb" Version="8.0.1" />
<PackageReference Include="Azure.Storage.Blobs" Version="12.22.2" />
<PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.22.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="8.0.2" />
<PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.23.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.2.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.3.2" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus" Version="5.22.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.18.1" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="1.4.0" />
<PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="8.0.10" />` |
|
Also running into the same issue.
|
|
Hi there! We also can confirm the issue. Using .NET8 Isolated with the following Functions Runtime version: 4.1036.3.23284 Some of our 'old' functions using .NET6 in process are on a very different runtime version: 4.636.0.23246 where the issue doesn't manifest itself. Since this morning we are facing this 'exception' in Application Insights:
|
|
I am also seeing this issue in a Function App on .NET 8 Isolated runtime version 4.1036.2.2 that started yesterday. |
|
We are also experiencing this issue on .net 8 isolated. Started yesterday (2024-10-30T05:07:32.0527717Z): |
|
We are also seeing the same issue. For added details, we have the same the identical .NET8-Isolated build artifact deployed to 2 function app instances, one of which is still on an older runtime version:
|
|
Hi all, we are also facing this for out .Net 8 isolated function app. Is there are any resolution for this ? |
|
Same here. Runtime version '4.1036.3.23284' is causing the 'IDX10205: Issuer validation failed.' errors. |
|
We have found this to be a problem with the AAD Graph to MS Graph transition accidentally breaking the contract in OAuth2 by changing the issuer. See here: The way Enterprise Application manifest is processed for the App registration for the hosted function means that the client will default to using the This is fixable by force setting the for Make sure this is matched in your Easy Auth configuration in App Service. The below snippet forces the value of the issuer to 1, which was the original implicit default. $body = '{\"api\":{\"requestedAccessTokenVersion\":1}}'
& az rest --method PATCH `
--url "https://graph.microsoft.com/v1.0/applications/$objectId" `
--headers Content-Type=application/json `
--body ($body)Can post more detail on request - but this is our good summary. |
|
@sjhawke thank you for the helpful response. My app does not use Easy Auth. It is configured with a user-assigned managed identity. What would |
Hi - it would be the application id in AAD that is assigned to your service. Check your configuration for the appId in your directory and look it up to find the objectId. It is the .id field in the record and should be a guid. Bear in mind that your managed identity is not the same as an application in AAD/Entra. MSID/User assigned Id is a service principal which is a different kind of entity in the directory and is usually a client, not a service. Note: This has not fully resolved our issue. |
|
We tried updating |
|
We have been having this issue as well, this started 2 weeks ago in our East US region but has now spread to our other regions as well. They are all running version 4.1036.3.23284. I forcefully set the FUNCTIONS_EXTENSION_VERSION to 4.36.0.23246 (without the ~). This has fixed the issue for now. Hopefully this issue will be resolved. |
|
Thank you all for reporting. We're actively looking at this and will provide updates as more information is available. |
|
If you're experiencing this issue, can you please share an invocation ID, time range when the problem occurred and the region your application is running in? Thank you! |
053cfb15-6bad-4466-bf02-51bd29f7d05c - 04/11/2024, 19:32:24.7446117 (UTC/GMT) - UK South |
|
I just noticed that our Exception is not exactly the same as mentioned in this issue. We are getting 'Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException' exceptions. Invocation Id 'e0ca6f5a-41ed-4b4e-97a3-36d9358dc120' in West Europe 11/5/2024, 8:19:43.1806979 AM. Do you want me to create a separate issue for this since it is a different Exception? |
|
Hi! Having the same problem on Azure functions for Node. SDK version 4.1036.3.23284 Invocation ID 1b024620d0dc4d61bebf92e6a1b710e9, West Europe on 2024-11-05T07:48:12.8156859Z. Fortunately the exception is only logged and doesn't crash the app for now... |
Thanks for jumping into this! |
|
Want to share an update. We have so far identified this to be only a change in logging with the 4.10xx versions of the host. Specifically, these exceptions and errors do occur in previous versions (as verified by tests). However, previously they were never sent to customer logs. We will continue to look into this to see if we can avoid emitting the error log. MitigationFor the time being, you can filter this error log via a log filter for Via host.json: {
"Logging": {
"ApplicationInsights": {
"LogLevel": {
"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler": "Warning"
}
}
}
}via app setting: |
@mkeinemans yes please. If you can open a separate issue and capture the details there, we'll be able to look at your specific problem. Thanks! |
@jviau It sounds like these errors were not meant to appear on the customer's side. Does it have something to do with something like an upcoming upgrade to V2 of access tokens as default across the platform or the deprecation of AAD Graph and some internal information gathering MS is doing in the background? The tokens are still valid, but the issuer differs between two versions causing the validation logic to return the exception. |
Just wanted to check, but when I try to set log level at Thanks! |
|
@dggsax I recommend trying with the |
|
I'm getting this error in 2025, is this an issue still? |
|
Same here! Started today! |
|
it will be fixed with the next runtime update, at some point before end of Feb, according to the comment in the fix |
Recent Azure Functions Deployment is appearing to perform Token Validation resulting in "IDX10205: Issuer validation failed" log level message. JWT auth is not configured or expected. Earlier runtime version 4.35 did not exhibit this behaviour. Redeploying of the same code (no issue) with runtime 4.35, new deployment defaults to latest runtime 4.136 will produced this error.
Azure App Service with EasyAuth on / off does not change this behavour.
I should not experience JWT validation issues.
Runtime Stack: DOTNET-ISOLATED|8.0
Runtime/SDK Version: 4.1036.2.2
OS: Linux
Plan: Premium V2
Region: WEU & UKS
Error : IDX10205: Issuer validation failed.
Exception Type : Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException:
at Microsoft.Extensions.DependencyInjection.ScriptJwtBearerExtensions.IssuerValidator (Microsoft.Azure.WebJobs.Script.WebHost, Version=4.1036.0.0, Culture=neutral, PublicKeyToken=null: /src/azure-functions-host/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs:152)
at Microsoft.IdentityModel.Tokens.Validators+d__7.MoveNext (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed (Microsoft.IdentityModel.Tokens, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignatureAndIssuerSecurityKey (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=6.35.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
Packages used.
Function Header
public async Task Run
(
[HttpTrigger(AuthorizationLevel.Anonymous, "POST", Route = "Test/Test")]
HttpRequest httpRequest
) => ...
The text was updated successfully, but these errors were encountered: