APIM Validate JWT Policy giving error when require-signed-tokens="false" to skip the signature validation

Sanka, Sri Naga Sai Pravallika (Cognizant) 0 Reputation points
2024-03-15T13:09:42.2633333+00:00

Hi

I am using APIM to validate JWT Tokens and this is how my policy looks .

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="false" />

I need to check the token expiration alone . As require-signed-tokens is set to true by default .To skip the signature validation I have set require-signed-tokens="false" It was mentioned in this blog

https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy

By using the above policy I am facing this error. It was looking for security keys when mentioned require-signed-tokens="false" .

validate-jwt (-0.122 ms) { "message": "JWT Validation Failed: IDX10500: Signature validation failed. No security keys were provided to validate the signature.." }

Please suggest a fix or a workaround for this.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,751 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 21,171 Reputation points
    2024-03-25T04:40:34.8266667+00:00

    @Sanka, Sri Naga Sai Pravallika (Cognizant) Thanks for your patience! Required-signed-tokens = false simply removes the requirement for the incoming token to have a signature. However, if the incoming token has a signature, it will be validated, and an error is thrown if the signature is invalid. In the scenario above, it seems like the token does have a signature, so the error is expected. 

    do let me know incase of further queries, I would be happy to assist you.

    0 comments