JWT validation failure error
Question
Wednesday, August 28, 2019 8:36 AM
Hello ,
I am currently trying to implement Oauth4.0 to protect API using below documentation
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
And currently using the DEMO CONFERENCE API provide by azure apim to test the implementation.
And currently receiving error during test in developer portal as :
"message": "JWT Validation Failed: Claim value mismatch: aud=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx.."I have configured JWT validation policy as below
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid." require-expiration-time="false" require-signed-tokens="false">
<openid-config url="https://login.microsoftonline.com/xxxxxxxxx-07c8-xxxxx-xxxx-xxxxxxxxx/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="all" separator="-">
<value>xxxxxxxx-xxxxx-489e-a26e-xxxxxxxx</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>Thanks for support in advance .
All replies (5)
Wednesday, August 28, 2019 8:39 AM
Hi Rachit,
You can check the Validate Jwt policy claim value what you have given with the Token Value.
Token value can be decoded from this website https://jwt.io/
then you can compare both the values.
Thanks,
Sujith.
Sujith
Wednesday, August 28, 2019 9:07 AM
Thanks sujith, for your prompt feedback .
I compared the value passed in the token by decoding it .
and i can see the "aud": "api://xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx"
and in claim value its aud="xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx"
i.e both are same expect in token value is passed with "api:// " , which is completely fine i guess.
Wednesday, August 28, 2019 2:51 PM
you can remove the "api//" and give it exactly the same
Sujith
Thursday, August 29, 2019 5:42 AM
Hello Sujith,
The value "aud": "api://xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx" is present within the token generated for authorization, so i cant change it there
Or is there a way to change ?
Rachit Rastogi
Friday, August 30, 2019 5:53 AM
you can change it in the app Registration. Expose an APi but its normallly like as you said its Api:// or https
Can you let me know how you are generating the Token
is it with Authorization endpoint?
in the resource can you give it exactly like api:// and try it out?
Sujith