Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do I set up the validate-jwt policy in Azure API Management


How do I set up the validate-jwt policy in Azure API Management


To set up the validate-jwt policy in Azure API Management, follow these steps:

1. Access the Policy Editor:
- Navigate to your API in Azure API Management.
- Select the API endpoint or "All Operations" or "All APIs" depending on where you want to apply the policy.
- Click on the "Policy Editor" button in the "Inbound processing" section.

2. Add the Validate-JWT Policy:
- In the policy editor, locate the `` section and add the `` policy below the `` tag if present.
- The policy should look something like this: 

xml

3. Configure the Policy Elements:
- header-name: Specify the HTTP header where the JWT token is located, typically "Authorization".
- require-scheme: Optionally specify the scheme, such as "Bearer".
- issuer-signing-keys: Provide the signing keys or certificates used to validate the token's signature.
- audiences: List the expected audience values in the token.
- issuers: List the expected issuer values in the token.
- required-claims: Specify any additional claims that must be present in the token.

4. Example Configuration:
Here's an example configuration that includes issuer signing keys, audiences, and issuers: 

xml
   
       
           {{jwt-signing-key}} 
       
       
           @(context.Request.OriginalUrl.Host)
       
       
           http://contoso.com/

5. Test the Configuration:
- Use tools like Postman to test your API with a valid JWT token in the Authorization header.
- Ensure the token is correctly formatted and includes all required claims.

6. Troubleshooting:
- If validation fails, check the error messages for clues, such as missing or invalid tokens.
- Verify that the signing keys and issuer information match the token's configuration.

By following these steps, you can effectively set up and test the validate-jwt policy in Azure API Management to secure your APIs with JWT validation.

Citations:
[1] https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy
[2] https://codeomelet.com/posts/creating-validate-jwt-policy-in-azure-apim
[3] https://carldesouza.com/adding-a-validate-jwt-policy-to-azure-api-management/
[4] https://docs.azure.cn/en-us/api-management/api-management-howto-oauth2
[5] https://www.youtube.com/watch?v=nrel_Zm_lWk
[6] https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy
[7] https://azure.github.io/apim-lab/apim-lab/7-security/security-7-1-jwt-validation.html
[8] https://stackoverflow.com/questions/74126588/validate-jwt-policy-in-azure-apim-troubleshoot