Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do I configure API Management to validate JWTs in Azure Logic Apps


How do I configure API Management to validate JWTs in Azure Logic Apps


To configure API Management to validate JWTs in Azure Logic Apps, follow these steps:

1. Retrieve the JWT Token: First, you need to obtain the JWT token. This can be done by making a call to your Logic App, which is registered in Azure Active Directory. You can use tools like Fiddler to inspect the HTTP requests and obtain the token from the response[2].

2. Configure API Management Policy:
- Navigate to your Azure API Management instance in the Azure portal.
- Select the API that you want to secure with JWT validation.
- Go to the Inbound processing section and click on the Form-based Editor or Code View to add a new policy.

3. Add Validate JWT Policy: In the Code View, add a `validate-jwt` policy within the `` tag. This policy will check for the presence and validity of the JWT token in the specified HTTP header (usually "Authorization"). 

xml
   
       
       
           
               http://YourLogicApp

Replace `{your-AzureAD-domain}` with your actual Azure AD domain and `http://YourLogicApp` with the correct audience claim for your Logic App.

4. Test the Policy:
- Use Postman or the API Management Developer Portal to test your API with and without a valid JWT token.
- If the token is invalid or missing, you should receive a 401 Unauthorized response with the specified error message.

5. Troubleshooting: If you encounter issues like "JWT Validation Failed: IDX10500: Signature validation failed," ensure that the signing keys are correctly configured in the policy[3].

This setup ensures that only requests with valid JWT tokens are allowed to proceed to your Logic App, enhancing security by preventing unauthorized access.

Citations:
[1] https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy
[2] https://techcommunity.microsoft.com/blog/azuredevcommunityblog/part-4-secure-your-logic-app-using-api-management-8211-validate-jwt-access-restr/336802
[3] https://carldesouza.com/adding-a-validate-jwt-policy-to-azure-api-management/
[4] https://blog.devops.dev/how-to-implement-jwt-validation-in-azure-apim-ffe0e758b045
[5] https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy
[6] https://stackoverflow.com/questions/76816622/validating-third-party-api-keys-basic-authentication-on-azure-api-management
[7] https://azure.github.io/apim-lab/apim-lab/7-security/security-7-1-jwt-validation.html
[8] https://auth0.com/blog/how-to-validate-jwt-dotnet/