Issue with Token Validation Across Multiple App Registrations (ClientID & ClientSecret)
We are experiencing an issue where tokens issued for one app registration (app.registration-1) can be used to access APIs of other app registrations (app.registration-2, app.registration-3). Specifically, we are using the clientId and clientSecret from app.registration-1 to request a token, but when the scope is set to an API associated with another app registration, the token is still valid and can be used to access that API, even though it should not be.
Details:
- The token returned for app.registration-1 is valid for APIs of other app registrations (app.registration-2, app.registration-3).
- We are validating the
aud
(audience) andiss
(issuer) claims, but this does not prevent access to the other app’s APIs as the token is still valid for them.
Objective: We want to ensure that tokens are restricted to the API of the specific app for which they were issued.
We are using Logic Apps and Function Apps with Managed Identity, but those managed identities are not assigned the appropriate roles by default in the enterprise applications.
We have attempted to implement role validation in APIM; however, delegating roles for each Logic App and Function App enterprise application is difficult (since we are using deployments via Terraform).
Therefore, we are looking for a more efficient solution. How can we prevent tokens issued for one app registration from being used to access APIs of other app registrations?