Trying to apply JWT policy for an API import ( Function App )

Question

Hi all,

These are the steps i did for testing JWT Policy

1. Got an API Management service created
2. Got a Function App created
3. Import Function App in API Management instance
4. Created a backend app and got a scope created (Expose an API)
5. Created a client app and client secret generated
6. In API management instance got an active directory server using OAuth 2.0 + OpenID Connect
7. Defined redirect URL in client app
8. Publish service in developer portal

After doing all of the above steps, have been experiencing issues in getting authorization header to my "Try" option in developer console. The moment i change authorization flow to authorization_code it opens a new window and displays below message. I just shortened the message but it gives below error. Kindly help me

Please i am using Pay as you go subscription and a developer tier SLA

might be temporarily down or it may have moved permanently to a new web address.

ERR_INVALID_RESPONSE

Answer 1

Hello Kishan Mohan Nallajerla,

Based on the error you’re seeing (ERR_INVALID_RESPONSE during the authorization_code flow), this is most commonly caused by a redirect URI mismatch in the client app registration.

Could you please verify the following:

1. Redirect URI Ensure the redirect URI configured in your client app exactly matches: https://.developer.azure-api.net/signin-oauth/code/callback/ Even a small mismatch (missing path, HTTP vs HTTPS, or incorrect auth server name) can cause this error.
2. Authorization Endpoint Confirm you are using the tenant-specific endpoint: https://login.microsoftonline.com//oauth2/v2.0/authorize (avoid using /common during testing)

Validate Flow Outside APIM Try accessing the authorization URL directly in a browser or via Postman to confirm whether the issue is with the app registration or API Management configuration.

Browser Debugging Open Developer Tools → Network tab and check for failed redirects or blocked responses during login.

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

 

Answer 2

The error in the developer portal “Try it” flow is almost always caused by a misconfigured OAuth 2.0 / OpenID Connect setup in API Management or in the Entra ID (Azure AD) app registrations, not by the API Management tier or subscription.

To get a working JWT-based “Try it” experience for a Function App imported into API Management, verify these areas end-to-end:

1. Validate the token itself

• First confirm that the client app can obtain a valid token for the backend scope outside of API Management.
• Use a test redirect to https://jwt.ms and sign in with the client app to inspect the token and confirm:
  • aud (audience) is the backend app’s Application ID URI or client ID (depending on how the scope is defined).
  • iss (issuer) matches the tenant and policy (for B2C) or tenant (for Entra ID).
  • The scope (for example api://<back-end-client-id>/user_impersonation) is present.
• This is described in the JWT troubleshooting guidance: use https://jwt.ms to decode and validate the JWT first.

2. Configure validate-jwt in API Management correctly

• In the API Management inbound policy for the imported Function App, add a <validate-jwt> policy that matches the token being issued:
  • openid-config URL must point to the correct well-known configuration endpoint for the tenant (and B2C policy if using B2C).
  • audience (or <audiences>) must contain the backend app’s application ID(s) that appear in the token’s aud claim.
  • If using B2C, also configure issuer (or <issuers>) to match the B2C issuer(s).
• Example patterns:
  • For Entra ID: use the tenant’s v2 .well-known/openid-configuration endpoint and set the audience to the backend app’s client ID.
  • For B2C: use the B2C policy’s well-known configuration URL, set <audience> to the B2C application ID, and <issuer> to the B2C issuer URL.
• If any of these values do not match the token, API Management will reject the call even if the developer portal shows a successful sign-in.

3. Ensure the OAuth 2.0 + OpenID Connect server in API Management matches the app registration

• In API Management, the configured authorization server must use:
  • The same authorization and token endpoints as the app registration (tenant/B2C policy specific).
  • The same client ID and client secret as the client app registration.
  • A scope that matches what the backend exposes (for example api://<back-end-client-id>/user_impersonation).
• The redirect URL configured in the client app must exactly match the redirect URL configured in the API Management authorization server for the developer portal “Try it” flow.
  • Any mismatch here can cause the browser to show an invalid response or redirect error.

4. Configure the backend (Function App) to require and validate tokens

• For defense in depth, configure the Function App’s Authentication/Authorization (EasyAuth) to use the same identity provider and audience/issuer as the tokens being issued.
• Set unauthenticated requests to return HTTP 401 so that only calls with a valid JWT in the Authorization: Bearer header are accepted.
• This ensures that:
  1. API Management validates the JWT with validate-jwt.
  2. The Function App also validates the JWT via EasyAuth.

5. Typical working flow
6. User clicks “Authorize” in the developer portal.
7. Browser is redirected to the Entra ID/B2C authorization endpoint using the client app registration.
8. After sign-in and consent, the browser is redirected back to the API Management developer portal redirect URL with an authorization code.
9. API Management exchanges the code for an access token using the configured client secret.
10. The developer portal “Try it” adds Authorization: Bearer <access_token> to the request.
11. API Management inbound policy runs validate-jwt (or validate-azure-ad-token) and, if valid, forwards the request to the Function App.

If any of these steps are misconfigured (wrong redirect URI, wrong scope, wrong openid-config URL, or mismatched audience/issuer), the result can be an invalid browser response during the auth_code flow or missing/invalid Authorization headers in the “Try it” console.

---

References:

• How to authorize test console of developer portal by configuring OAuth 2.0 user authorization
• Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID
• Secure an Azure API Management API with Azure AD B2C
• Troubleshoot Azure AD B2C custom policies and user flows (b2c-custom-policy)
• Protect serverless APIs with Azure API Management and Azure AD B2C for consumption from a SPA
• Tutorial: Authenticate and authorize users end-to-end in Azure App Service (platform-linux)
• Tutorial: Authenticate and authorize users end-to-end in Azure App Service (platform-windows)