search cancel

How to validate JWT Token from Azure AD


Article ID: 129936


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


Hi, In order to protect out APIs from security breaches, we are implementing a pattern where API calls will contain JWT Tokens in the HTTP Header and Layer7 is required to Decode and Authorize it against AZURE AD. Can you please provide assistance by directing us towards any available documentation and helping us set up the environment with proper plugins etc.


Component: APIGTW


Use  Decode Json web token assertion to validate jwt token against  the JWKS from MS discovery url  (

The policy logic below can be used for keeping the jwks up-to-date,

- At least folder
- \_ All folder
---- \_ lookup jwks in cache, use decode json web token assertion to validate jwt token, etc.
- \_ All folder
---- \_ route via http to jwks url, store to cache, etc.
---- |_ use decode json web token assertion to validate jwt token
- \_ All folder
---- \_ error handling for invalid jwt token


Note: for jwks, it needs "kid" to find the correct public key in the key set, the kid will need to be extracted from the jwt -- use another Decode json web token assertion with "None" validation method to extract jwt header and then use json path to get the "kid" from jwt header. Product document has the sample code,
(start from line 32 in the screenshot of the sample policy)


Additional Information