Regarding azure api manager validate-jwt policy schema. The schema does not match a documentation reference to <id> attribute in issuer-signing-keys

Question

In the azure api manager there is a validate-jwt policy that can be specified. The documentation has the following phrase "Optionally specify a key by using the id". But the id attribute is not specified in the schema for validate-jwt/issuer-signing-keys. Can someone help with a sample validate-jwt policy?

I tried adding the mentioned attribute but the API manager/Inbound processing form rejected it

Answer 1

You need to add the kid value in issuer-signing-keys as shown below-

<policies>
    <inbound>
        <base />
        <set-variable name="base64Key" value="@(Convert.ToBase64String(Encoding.UTF8.GetBytes("{kid value}")))" />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://login.microsoftonline.com/{tenant_id}/.well-known/openid-configuration" />
            <issuer-signing-keys>
                <key>@((string)context.Variables["base64Key"])</key>
            </issuer-signing-keys>
            <audiences>
                <audience>{audience}</audience>
            </audiences>
            <issuers>
                <issuer>https://sts.windows.net/{tenant_id}</issuer>
            </issuers>
            <required-claims>
                <claim name="aud" match="all">
                    <value>{audience}</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

I am getting expected response.