I have a validate-jwt instruction in my APIM API policy (<inbound>
section).
I am sending a hopefully correct token in a header and the request still fails.
What would be the way to find out from the APIM which specific JWT token validation check has failed?
CodePudding user response:
Have you checked that the JWT is in fact valid? To do this you can paste the whole token value to https://jwt.ms in order to decode the token to see if you are missing any information.
If the token is valid, I would suggest setting up Application Insights for APIM if you haven't done that already and see if you can get any more relevant information from the logs there.
CodePudding user response:
I have figured out how to do the logging.
- Enable Application Insights for APIM, set 100% sampling for your desired API and enable necessary flags (see Application Insights for APIM.
- In the designated Application Insights instance, the JWT token issues are found if you query
exceptions
| where type =="TokenInvalidIssuer"
so you get something like
IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/(abriged UUID)/'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://login.microsoftonline.com/{tenantid}/v2.0'.
outerMethod
validate-jwt
Also, from App Insights' Application map one can click through to failed requests and drill down to exceptions arriving at similar log outputs.