JWT Validation policy suddently not valid when changed to a different audience with Azure API Management
Question
I have a strange problem changing the value of audience element below for JWT validation within APIM, ref link below
1 new link: https://new.onelogin.com/oidc/token
I only changed the value of audience element from the old version in 2. But I get the validation error below from APIM portal when I tried to save the policy:
The element 'validate-jwt' has invalid child element 'openid-config'. List of possible elements expected: 'required-claims'.
Please note that the old version in 2 doesn't need the 'required-claims' element.
client_id=new xxx
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<audiences>
<audience>new xxx</audience>
</audiences>
<issuers>
<issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
</issuers>
<openid-config url="https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration" />
</validate-jwt>
2 The old url and jwt validation , and it works.
https://old.onelogin.com/oidc/token
client_id=old xxx
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<audiences>
<audience>old xxx</audience>
</audiences>
<issuers>
<issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
</issuers>
<openid-config url="https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration" />
</validate-jwt>
Any idea?
Updates:
Now even the original policy that was working has the issue even nothing has been changed:
The element 'validate-jwt' has invalid child element 'openid-config'. List of possible elements expected: 'required-claims'.
1 answers
solution1
1 ACCPTED 2019-07-25 09:32:38
You need to move the openid-config up in the xml and keep it just under validate-jwt opening tag. Please see below:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="" />
<issuer-signing-keys>
<key>Base64 Encoded Key</key>
</issuer-signing-keys>
<audiences>
<audience></audience>
</audiences>
<issuers>
<issuer></issuer>
</issuers>
</validate-jwt>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.