You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-access-restriction-policies.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -555,7 +555,7 @@ This policy can be used in the following policy [sections](./api-management-howt
555
555
556
556
## <aname="ValidateJWT"></a> Validate JWT
557
557
558
-
The `validate-jwt` policy enforces existence and validity of a JSON web token (JWT) extracted from either a specified HTTP header or a specified query parameter.
558
+
The `validate-jwt` policy enforces existence and validity of a JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value.
559
559
560
560
> [!IMPORTANT]
561
561
> The `validate-jwt` policy requires that the `exp` registered claim is included in the JWT token, unless `require-expiration-time` attribute is specified and set to `false`.
@@ -569,10 +569,11 @@ The `validate-jwt` policy enforces existence and validity of a JSON web token (J
569
569
570
570
```xml
571
571
<validate-jwt
572
-
header-name="name of http header containing the token (use query-parameter-name attribute if the token is passed in the URL)"
572
+
header-name="name of HTTP header containing the token (alternatively, use query-parameter-name or token-value attribute to specify token)"
573
+
query-parameter-name="name of query parameter used to pass the token (alternative, use header-name or token-value attribute to specify token)"
574
+
token-value="expression returning the token as a string (alternatively, use header-name or query-parameter attribute to specify token)"
573
575
failed-validation-httpcode="http status code to return on failure"
574
576
failed-validation-error-message="error message to return on failure"
575
-
token-value="expression returning JWT token as a string"
576
577
require-expiration-time="true|false"
577
578
require-scheme="scheme"
578
579
require-signed-tokens="true|false"
@@ -724,7 +725,7 @@ This example shows how to use the [Validate JWT](api-management-access-restricti
724
725
| failed-validation-httpcode | HTTP Status code to return if the JWT doesn't pass validation. | No | 401 |
725
726
| header-name | The name of the HTTP header holding the token. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |
726
727
| query-parameter-name | The name of the query parameter holding the token. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |
727
-
| token-value | Expression returning a string containing JWT token. You must not return `Bearer ` as part of the token value. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |
728
+
| token-value | Expression returning a string containing the token. You must not return `Bearer ` as part of the token value. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |
728
729
| id | The `id` attribute on the `key` element allows you to specify the string that will be matched against `kid` claim in the token (if present) to find out the appropriate key to use for signature validation. | No | N/A |
729
730
| match | The `match` attribute on the `claim` element specifies whether every claim value in the policy must be present in the token for validation to succeed. Possible values are:<br /><br /> - `all` - every claim value in the policy must be present in the token for validation to succeed.<br /><br /> - `any` - at least one claim value must be present in the token for validation to succeed. | No | all |
730
731
| require-expiration-time | Boolean. Specifies whether an expiration claim is required in the token. | No | true |
0 commit comments