Share via


JWT validation failure error

Question

Wednesday, August 28, 2019 8:36 AM

Hello ,

I am currently trying to implement Oauth4.0 to protect API using below documentation

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

And currently using the DEMO CONFERENCE API provide by azure apim to test the implementation.

And currently receiving error during test in developer portal as :

"message": "JWT Validation Failed: Claim value mismatch: aud=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx.."I have configured JWT validation policy as below 
<inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid." require-expiration-time="false" require-signed-tokens="false">
            <openid-config url="https://login.microsoftonline.com/xxxxxxxxx-07c8-xxxxx-xxxx-xxxxxxxxx/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud" match="all" separator="-">
                    <value>xxxxxxxx-xxxxx-489e-a26e-xxxxxxxx</value>
                </claim>
            </required-claims>
        </validate-jwt>
</inbound>Thanks for support in advance . 

All replies (5)

Wednesday, August 28, 2019 8:39 AM

Hi Rachit,

You can check the Validate Jwt policy claim value what you have given with the Token Value.

Token value can be decoded from this website https://jwt.io/

then you can compare both the values.

Thanks,

Sujith.

Sujith


Wednesday, August 28, 2019 9:07 AM

Thanks sujith, for your prompt feedback .

I compared the value passed in the token by decoding it .

and i can see the "aud": "api://xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx"

and in claim value its aud="xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx"

i.e both are same expect in token value is passed with "api:// " , which is completely fine i guess.


Wednesday, August 28, 2019 2:51 PM

you can remove the "api//" and give it exactly the same

Sujith


Thursday, August 29, 2019 5:42 AM

Hello Sujith,

The value "aud": "api://xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx" is present within the token generated for authorization, so i cant change it there

Or is there a way to change ?

Rachit Rastogi


Friday, August 30, 2019 5:53 AM

you can change it in the app Registration. Expose an APi but its normallly like  as you said its  Api:// or https

Can you let me know how you are generating the Token

is it with Authorization endpoint?

in the resource can you give it exactly like api:// and try it out?

Sujith