validate-jwt policy in Azure APIM - troubleshoot - PhpOut

onkami
October 19, 2022
94 views
0 votes
2 Answers

I have a validate-jwt instruction in my APIM API policy (<inbound> section).

I am sending a hopefully correct token in a header and the request still fails.

What would be the way to find out from the APIM which specific JWT token validation check has failed?

Tags: azure azure-api-management jwt

Answers

Chosen as BEST ANSWER
- onkami
- October 20, 2022 at 12:27 pm
- 0 votes
0
I have figured out how to do the logging.
1. Enable Application Insights for APIM, set 100% sampling for your desired API and enable necessary flags (see Application Insights for APIM.
2. In the designated Application Insights instance, the JWT token issues are found if you query
```
exceptions
| where type contains "Token"
```
Note that type is different depending on what is wrong with the JWT token, but I am speculating that all relevant types might start with "Token..."

so you get something like
```
IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/(abriged UUID)/'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://login.microsoftonline.com/{tenantid}/v2.0'.
outerMethod
validate-jwt
```
Also, from App Insights' Application map one can click through to failed requests and drill down to exceptions arriving at similar log outputs.

(Edit)

- FinneVirta
- October 19, 2022 at 5:51 pm
- 0 votes
0
Have you checked that the JWT is in fact valid? To do this you can paste the whole token value to https://jwt.ms in order to decode the token to see if you are missing any information.

If the token is valid, I would suggest setting up Application Insights for APIM if you haven’t done that already and see if you can get any more relevant information from the logs there.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.