Share via

Issue with Custom JWT Authentication for Azure Event Grid MQTT Broker

Robin Dahlberg 20 Reputation points
2025-02-04T09:21:48.98+00:00

We are trying to authenticate a MQTT client with Azure Event Grid MQTT Broker using custom JWT authentication from our own OIDC Identity Provider hosted in app service.
However, we keep encountering authentication errors related to audience validation and issuer mismatch.

We have followed the Event Grid JWT authentication guide: 🔗 Authenticate with namespaces using JSON web tokens.

We have set up a simple console app for testing, similar to this sample: https://github.com/Azure-Samples/MqttApplicationSamples/blob/main/scenarios/jwt_authentication/README.md)

topicSpacesConfiguration looks something like this:

"topicSpacesConfiguration": { 
    "state": "Enabled",
    "hostname": "<my-event-grid-mqtt-hostname>", 
    "clientAuthentication": {
        "customJwtAuthentication": {
            "tokenIssuer": "<my-openid-server>", 
            "issuerCertificates": [
                {
                    "certificateUrl": "<keyvault-url>", 
                    "identity": {
                        "type": "SystemAssigned"
                    }
                }
            ]
        }
    },
    "maximumSessionExpiryInHours": 1,
    "maximumClientSessionsPerAuthenticationName": 1
}

The token used by the client looks like this:

{
  "iss": "https://<my-identity-provider>/",
  "sub": "test-client",
  "aud": "https://<my-eventgrid-mqtt-hostname>",
  "exp": 1700000000,
  "iat": 1699990000
}

Based on the documentation, we expected the aud claim to be set to the Event Grid MQTT hostname, <my-eventgrid-namespace>.<region>.ts.eventgrid.azure.net. But if we do, we get an authentication error with a message saying that only "https://eventgrid.azure.net" is a valid audience: 

"Message: IDX10214: Audience validation failed. Audiences: 'https://<my-eventgrid-mqtt-hostname>'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'https://eventgrid.azure.net, 823c0a78-5de0-4445-a7f5-c2f42d7dc89b, https://eventgrid.azure.net"

If we change the aud claim to "https://eventgrid.azure.net", we instead receive a different error:

IDX40001: Issuer: 'https://<my-identity-provider>', does not match any of the valid issuers provided for this application.
  1. Have we missunderstood what the correct value for the aud claim should be?
  2. If it is supposed to be https://eventgrid.azure.net, how can I ensure that Event Grid recognizes my custom OIDC issuer (iss claim)?

Any guidance would be greatly appreciated!

Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
424 questions
Accepted answer
  1. Khadeer Ali 3,430 Reputation points Microsoft Vendor
    2025-02-11T17:30:48.3833333+00:00

    @Robin Dahlberg ,

    Thank you for your patience as we investigated this further. Based on feedback from the Event Grid team, it appears that there is some confusion due to documentation inconsistencies regarding JWT authentication models.

    To clarify:

    1. There are two different JWT authentication models for Event Grid MQTT Broker:
      • Entra ID JWT Authentication: Requires aud to be set to "https://eventgrid.azure.net".
      • Custom JWT Authentication (your scenario): Requires aud to be set to your Event Grid MQTT hostname, i.e., 
             "aud":
    2. Your configuration is correct based on the Custom JWT authentication model. Additionally, I have shared feedback with the internal team to update the documentation to prevent further confusion.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.