Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do I set up the Validate JWT policy in the Azure API Management Service


How do I set up the Validate JWT policy in the Azure API Management Service


To set up the Validate JWT policy in Azure API Management, follow these steps:

1. Access the Azure Portal and Navigate to API Management:
- Log into the Azure portal and navigate to your API Management service instance.

2. Open the Policy Editor:
- Select the API or operation where you want to apply the policy. Click on the "Policy Editor" button in the "Inbound processing" section.

3. Add the Validate JWT Policy:
- In the policy editor, add the following XML code to the `` section. This example validates a JWT token in the `Authorization` header: 

xml
   
       
       
           
               {backend-app-client-id}

Replace `{aad-tenant}` with your Azure AD tenant ID and `{backend-app-client-id}` with the client ID of your backend application.

4. Configure Additional Validation Criteria:
- You can further customize the policy by specifying additional validation criteria such as issuers, signing keys, and required claims. For example, you can add multiple issuers or claims as needed: 

xml
   
       issuer1
       issuer2
   
   
       
           true

5. Save and Test the Policy:
- After configuring the policy, save the changes. You can test the policy by sending a request with a valid JWT token in the `Authorization` header using tools like Postman.

6. Troubleshooting:
- If you encounter issues, ensure that the token is correctly formatted and that the signing keys are properly configured. Enable Azure Application Insights for detailed logs if needed.

This setup ensures that only requests with valid JWT tokens are allowed to proceed, enhancing the security of your API.

Citations:
[1] https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy
[2] https://docs.azure.cn/en-us/api-management/api-management-howto-oauth2
[3] https://codeomelet.com/posts/creating-validate-jwt-policy-in-azure-apim
[4] https://stackoverflow.com/questions/74126588/validate-jwt-policy-in-azure-apim-troubleshoot
[5] https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy
[6] https://docs.azure.cn/en-us/api-management/api-management-howto-protect-backend-with-aad
[7] https://carldesouza.com/adding-a-validate-jwt-policy-to-azure-api-management/
[8] https://docs.mulesoft.com/gateway/latest/policies-included-jwt-validation
[9] https://azure.github.io/apim-lab/apim-lab/7-security/security-7-1-jwt-validation.html