How a JWT generated from WSO2 IS is validated when calling APIs in Azure APIM
Azure APIM is an API Manager service which is owned by Microsoft Azure. This helps to publish APIs to external, partner, and employee developers securely and at scale.
Why ?
I am writing this not to market Azure APIM, but to help the customer who are using Azure APIM to integrate with WSO2 IS.
JWT token is simply called JSON Web Token which is a kind of a detailed version of the opaque access token. This is a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
From WSO2 IS 5.3.0 onwards we can generate a JWT token as ID token when we take an access token via the scope “oidc”. From WSO2 IS 5.4.0 onwards we also can generate a JWT access token instead of the typical opaque type access token as shown by this documentation. So we can use these JWT tokens generated by WSO2 IS to call an API in Azure APIM.
How?
In Azure APIM, we can add policies that can be evaluated during authentication flow of a API call. So we can use such inbound policy to validate this JWT tokens generated by WSO2 IS.
In this example I will tell you how to add a simple policy to validate the audience and issuer of the JWT token.
- For this you need to first create an instance of API manager and create an API. This documentation will help you on that.
Here I am using the existing sample API called Echo API in Azure APIM.

- Next, you need to add the policy to validate this JWT token which we use to call this API.
In order to add the policy to the overall API, Select the API. Next select 1 and click on 2 as shown in the image.

- Once you click on 2, you will get a window to add and edit the policy as shown below.

- This is a sample policy that validate the audience and the issuer(token endpoint). You can add this and save it to use during API call.
Here you can change the values in {} to appropriate values of your WSO2 IS configurations.
<?xml version="1.0" encoding="UTF-8"?>
<policies>
<inbound>
<base />
<validate-jwt header-name="SampleAuth" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.-9" require-expiration-time="true" require-scheme="bearer" require-signed-tokens="true">
<openid-config url="{url of the well known endpoint}" /> <audiences>
<audience>{J_9eV8j2YAZ77TvzMydnDRrZAVUa}</audience>
</audiences>
<issuers>
<issuer>https://{hostname}:{port}/oauth2/token</issuer>
</issuers>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
- The “header-name” of the <validate-jwt> tag is the header parameter that should pass the JWT token, when calling the API. In my case it is “SampleAuth”.
- When calling the API, we need to add parameters as below. Remember to put the “Ocp-Apim-Trace” header parameter to “true” in order to get the trace during API call. This will help in debugging when an issue occured.

- If the JWT token has the same audience and the issuer in the policy you will get a 200 ok to when calling the API. If not it will give the error that you have mentioned in the policy.
In my case it is “Unauthorized. Access token is missing or invalid.-9" with 401 status code.
See, it’s easy and simple to use WSO2 IS with any APIM. So do not hesitate to post any comments and issues you are facing.
Happy time with WSO2 IS !… :)
