Azure APIM not validating JWT expiration time

Question

I've added a 'validate-jwt' policy to APIM to validate the issuer signing key and the expiration of a provided JWT. It's successfully validating the issuer signing key and rejecting any JWT which wasn't signed by the correct certificate, however it doesn't appear to be validating the expiration date/time at all. I can pass a JWT through which expired hours ago and it lets it through fine.

I've set 'Require expiration time' to true, I don't see any other settings that look relevant. Is Azure APIM capable of validating the expiration time or am I asking too much from it? Is there another setting that I need to set to get it to do it?

Answer 1

Is Azure APIM capable of validating the expiration time or am I asking too much from it?

Yes, APIM checks expiration time in validate-jwt policy. I have set the token expiry to 1hr and got the error. Thanks @silent for the comment. I am using the below policy-

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration" />
            <issuer-signing-keys>
                <key>Base64 Encoded Key</key>
            </issuer-signing-keys>
            <audiences>
                <audience>********</audience>
            </audiences>
            <issuers>
                <issuer>********</issuer>
            </issuers>
            <required-claims>
                <claim name="" match="all">
                    <value>*******</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </inbound>
</policies>

I am getting below error after my token is expired.

Please check the token expiry and the policy you are using.