Issue with Token Validation Across Multiple App Registrations (ClientID & ClientSecret)

Patrik Kovacs 0 Reputation points
2024-12-16T11:17:14.7566667+00:00

We are experiencing an issue where tokens issued for one app registration (app.registration-1) can be used to access APIs of other app registrations (app.registration-2, app.registration-3). Specifically, we are using the clientId and clientSecret from app.registration-1 to request a token, but when the scope is set to an API associated with another app registration, the token is still valid and can be used to access that API, even though it should not be.

Details:

  • The token returned for app.registration-1 is valid for APIs of other app registrations (app.registration-2, app.registration-3).
  • We are validating the aud (audience) and iss (issuer) claims, but this does not prevent access to the other app’s APIs as the token is still valid for them.

Objective: We want to ensure that tokens are restricted to the API of the specific app for which they were issued.

We are using Logic Apps and Function Apps with Managed Identity, but those managed identities are not assigned the appropriate roles by default in the enterprise applications.

We have attempted to implement role validation in APIM; however, delegating roles for each Logic App and Function App enterprise application is difficult (since we are using deployments via Terraform).

Therefore, we are looking for a more efficient solution. How can we prevent tokens issued for one app registration from being used to access APIs of other app registrations?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,238 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,250 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,275 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.