JWT Validation - Custom response message

Question

Is it possible to set a custom response message for JWT Token validation failure such as "Invalid Token" or "Token expired" based on the error?
Which attributes in the error will be able to provide that information to set the custom message?

I did take a look at this earlier post - https://stackoverflow.com/questions/60988489/custom-response-body-for-validate-jwt-in-azure-apim, which gives an example of setting a custom error message. But I am looking for information on the error attributes from the policy error message to set the response.
For example: The APIM trace shows below message when the token is expired, how do I access or retrieve the "message" value from the data element; which context variable would contain this?
"on-error": [
{
"source": "validate-jwt",
"timestamp": "2022-12-05T17:21:08.5888200Z",
"elapsed": "00:00:02.1114865",
"data": {
"message": "JWT Validation Failed: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '12/2/2022 7:14:50 PM', Current time: '12/5/2022 5:21:08 PM'.."
}
}

and the below message for an invalid token
"on-error": [
{
"source": "validate-jwt",
"timestamp": "2022-12-05T17:35:16.0490598Z",
"elapsed": "00:00:00.0171990",
"data": {
"message": "JWT Validation Failed: IDX12729: Unable to decode the header 'yJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkxXSS00VjM4bTVtZjllS05wSWhFbCJ9' as Base64Url encoded string. jwtEncodedString: 'yJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkxXSS00VjM4bTVtZjllS05wSWhFbCJ9.eyJ1c2VybmFtZSI6Ijk5OUBpbnRlZ3JhdGlvbi5jdWRpcmVjdC5jb20iLCJpc3MiOiJodHRwczovL2Rldi5vcmlnZW5jZWlkLmNvbS8iLCJzdWIiOiJJVnZHNlR1VkY5b3ZucDlKZ2hiZ0lud2F6MDlyRXNPaEBjbGllbnRzIiwiYXVkIjoiT3JpZ2VuY2UgUm9ja2luIEF3ZXNvbWUgRXh0ZXJuYWwgQVBJcyIsImlhdCI6MTY2OTkyMjA5MCwiZXhwIjoxNjcwMDA4NDkwLCJhenAiOiJJVnZHNlR1VkY5b3ZucDlKZ2hiZ0lud2F6MDlyRXNPaCIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.oav_cZUZew_DjNVs7vUcnBm3r3Qb88QAwwekteFj1dSppAz53RDhUFWpIJMWGfdcx5J9muj0LAs6otsPyUW_HVZkScgmHkGd3xfX8hpGtLu2ocmoyxAEJVPayZ7-K5Zy69IuW7ZRMBXp41bV_kwUDPyp61CHS6yKVrMIR1bG2jNK-ZvNNHobOY9HZE33ABiUO-sxibSHOyV9VsiO8LGRj5ArfvvTT2W1fyrz6SUpEcDhmg1hVyiqtn8uwMMKZ5FoKVtoxMZsxkpTfya4PAsIxKBbqGu9mAHmzg63fQs2WHgnSwwq6ODwofc5K0pTWgaD-44IoeNQ1zbfSH2qvn6tYA'.."
}
}

Answer 1

Hi @Nagashree Balasundaram Thanks for reaching out. You must use LastError property to achieve this please refer this document for more information https://learn.microsoft.com/en-us/azure/api-management/api-management-error-handling-policies#lasterror

please refer the below policy,

<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>524d5efb-664f-4aa2-9e14-xxxxxxxxx</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
<backend>
</backend>
<outbound
</outbound>
<on-error>
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="message" exists-action="override">
<value>@(context.LastError.Message)</value>
</set-header>
</return-response>
</on-error>
</policies>

do let me know incase of further queries, I would be happy to assist you.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Answer 2

How to handle the error-"IDX10223: Lifetime validation failed. The token is expired" in azure appinsight in asp.net core api.