Azure APIM - Validate JWT Token Policy not supporting require-expiration-time

Ashish Harjani 21 Reputation points
2020-09-15T22:10:18.837+00:00

Hi,

I have a JWT Token. I want to skip the check for expiry as mentioned in the blog : https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT

So i have set require-expiration-time="false" in my policy. When I pass the expired JWT Token, still the validity check is kicking in and it throws below error:

{
"message": "JWT Validation Failed: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '09/15/2020 19:31:28', Current time: '09/15/2020 22:04:30'.."
}

Below is my policy:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="false">
<openid-config url="{{B2COpenIdUrl}}" />
</validate-jwt>

Can the experts help on how can I force policy to not do Expiry check ?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,663 questions
{count} votes

Accepted answer
  1. Pramod Valavala 20,511 Reputation points Microsoft Employee
    2020-09-16T17:17:03.967+00:00

    The require-expiration-time allows for tokens without an exp claim but would still check the validity of the token if present. There is no way to work around this, unless if you have control over the provider that issues the tokens and don't include the exp claim. Instead, you could simply remove the policy and perform the validation as required by you in your backend.

    Please feel free to raise a feature request to add support via an attribute for skipping lifetime validity checks.


    On a side note, it would help to know why you want to skip this check. There could be a better approach to what you trying to achieve.


0 additional answers

Sort by: Most helpful