JWT token validates correctly, but fails Azure media AES with AuthorizationPolicyEvaluationFailure error
I've setup a simple Azure function to test out Azure media services. I'm trying to protect a video I uploaded, but I can't seem to get the JWT right. Here's the simple function code.
[FunctionName("Test")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
var expires = DateTimeOffset.UtcNow.AddMinutes(20);
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("RYhzAnz....VP0uQ==")); // removed full key for brevity
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var claims = new List<Claim>
{
};
var token = new JwtSecurityToken("http://test.net/",
"urn:user",
claims.AsEnumerable(),
expires: expires.LocalDateTime,
signingCredentials: credentials
);
return new OkObjectResult(new JwtSecurityTokenHandler().WriteToken(token));
}
I've filled out the issuer/audience in the token so that it matches what is in my Azure settings.
I've even validated that token on jwt.io, and it verified correctly
But when I test it out on the Azure Media Player, the response is a 401 with a AuthorizationPolicyEvaluationFailure.
Here's the response from the Azure key delivery service
{
"Error": {
"Message": "Failed content key policy evaluation.",
"Code": "AuthorizationPolicyEvaluationFailure"
}
}
Found out what I was doing wrong. Problem was hidden in plain sight. Issue came down to this line of code.
Encoding.UTF8.GetBytes("RYhzAnz....VP0uQ==")
This was getting the bytes of the security key, but the security key itself is base64 encoded. I had to change it to this instead.
System.Convert.FromBase64String("RYhzAnz....VP0uQ==")
I was able to figure this out while debugging the Azure Media Service AES example.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs