locked
Validate JWT Header with adifferent Header Name RRS feed

  • Question

  • Hi,

    We need to validate 2 Headers Like below

    <validate-jwt header-name="Authorization" require-scheme="Bearer">
        <issuer-signing-keys>
            <key>{{jwt-signing-key}}</key>  <!-- signing key specified as a named value -->
        </issuer-signing-keys>
        <audiences>
            <audience>@(context.Request.OriginalUrl.Host)</audience>  <!-- audience is set to API Management host name -->
        </audiences>
        <issuers>
            <issuer>http://contoso.com/</issuer>
        </issuers>
    </validate-jwt>
    
    <validate-jwt header-name="AppAuthorization" require-scheme="Bearer">
        <issuer-signing-keys>
            <key>{{jwt-signing-key}}</key>  <!-- signing key specified as a named value -->
        </issuer-signing-keys>
        <audiences>
            <audience>@(context.Request.OriginalUrl.Host)</audience>  <!-- audience is set to API Management host name -->
        </audiences>
        <issuers>
            <issuer>http://contoso.com/</issuer>
        </issuers>
    </validate-jwt>
    

    For the Second one, when we pass the Header Name "AppAuthorization" it always says that JWT is not well formed.

    when i assign it  back to Authorization and send it like below it works.

    <validate-jwt header-name="Authorization" require-scheme="Bearer">
        <issuer-signing-keys>
            <key>{{jwt-signing-key}}</key>  <!-- signing key specified as a named value -->
        </issuer-signing-keys>
        <audiences>
            <audience>@(context.Request.OriginalUrl.Host)</audience>  <!-- audience is set to API Management host name -->
        </audiences>
        <issuers>
            <issuer>http://contoso.com/</issuer>
        </issuers>
    </validate-jwt>
    <set-header name="Authorization" exists-action="override">
      <value>@(context.User.Id)</value>
    </set-header>
    
    <validate-jwt header-name="Authorization" require-scheme="Bearer">
        <issuer-signing-keys>
            <key>{{jwt-signing-key}}</key>  <!-- signing key specified as a named value -->
        </issuer-signing-keys>
        <audiences>
            <audience>@(context.Request.OriginalUrl.Host)</audience>  <!-- audience is set to API Management host name -->
        </audiences>
        <issuers>
            <issuer>http://contoso.com/</issuer>
        </issuers>
    </validate-jwt>

    is it like we have to only use Authorization as the Header then only it will work?

    Can you please help us on this?

    Thanks,

    Sujith.


    Sujith

    Thursday, November 21, 2019 7:09 PM

Answers

  • I believe only in the case of the Authorization header, the Bearer portion of the header value is omitted before parsing the token. Could you try setting only the JWT token in the AppAuthorization header without the Bearer portion?
    Monday, November 25, 2019 4:38 AM

All replies

  • I believe only in the case of the Authorization header, the Bearer portion of the header value is omitted before parsing the token. Could you try setting only the JWT token in the AppAuthorization header without the Bearer portion?
    Monday, November 25, 2019 4:38 AM
  • Hi sujith reddy komma - Hope my reply helps.
    Friday, November 29, 2019 4:47 AM
  • Thanks Pramod

    Sujith

    Friday, December 6, 2019 6:53 AM