I've added a 'validate-jwt' policy to APIM to validate the issuer signing key and the expiration of a provided JWT. It's successfully validating the issuer signing key and rejecting any JWT which wasn't signed by the correct certificate, however it doesn't appear to be validating the expiration date/time at all. I can pass a JWT through which expired hours ago and it lets it through fine.
I've set 'Require expiration time' to true, I don't see any other settings that look relevant. Is Azure APIM capable of validating the expiration time or am I asking too much from it? Is there another setting that I need to set to get it to do it?
Yes, APIM checks expiration time in
validate-jwt
policy. I have set the token expiry to 1hr and got the error. Thanks @silent for the comment. I am using the below policy-I am getting below error after my token is expired.
Please check the token expiry and the policy you are using.