Hi,
This post is to pen down APIM Policy to validate JWT token and create a custom error json response message.
<policies>
<inbound>
<base />
<validate-jwt header-name=”Authorization” failed-validation-httpcode=”401″ failed-validation-error-message=”Unauthorized. Access token is missing or invalid.” require-expiration-time=”true” require-scheme=”Bearer”>
<openid-config url=”https://login.microsoftonline.com/test.onmicrosoft.com/.well-known/openid-configuration” />
<audiences>
<audience>{{qa-fapp-product-payments-aud}}</audience>
</audiences>
<issuers>
<issuer>{{qa-fapp-product-payments-sts-issuer}}</issuer>
</issuers>
<required-claims>
<claim name=”oid” match=”all”>
<value>{{qa-fapp-product-payments-oid}}</value>
</claim>
</required-claims>
</validate-jwt>
<!– Don’t expose APIM subscription key to the backend. –>
<set-header name=”Ocp-Apim-Subscription-Key” exists-action=”delete” />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<choose>
<when condition=”@(context.Response.StatusCode == 401 || context.Response.StatusCode == 403 )”>
<set-variable name=”StatusReason” value=”@(context.Response.StatusReason)” />
<return-response>
<set-status code=”@(context.Response.StatusCode)” reason=”@(context.Response.StatusReason)” />
<set-header name=”Content-Type” exists-action=”override”>
<value>application/json</value>
</set-header>
<set-body>@{
return new JObject(
new JProperty(“Result”,
new JObject(
new JProperty(“Message”,
new JObject(
new JProperty(“Errors”,
new JObject(
new JProperty(“Timestamp”,(string)new JValue(DateTimeOffset.UtcNow.ToString(“o”))),
new JProperty(“System”, “APIM”),
new JProperty(“Code”, “1000”),
new JProperty(“ExtraDetail”, “Internal Server Error”),
new JProperty(“Description”, String.Format(“{0}”,
context.Response.StatusReason
))
)))),
new JProperty(“ResultCode”, “Failed”)
))).ToString();
}</set-body>
</return-response>
</when>
<otherwise />
</choose>
</outbound>
<on-error>
<base />
<return-response>
<set-status code=”@(context.Response.StatusCode)” reason=”@(context.Response.StatusReason)” />
<set-header name=”Content-Type” exists-action=”override”>
<value>application/json</value>
</set-header>
<set-body>@{
return new JObject(
new JProperty(“Result”,
new JObject(
new JProperty(“Message”,
new JObject(
new JProperty(“Errors”,
new JObject(
new JProperty(“Timestamp”,(string)new JValue(DateTimeOffset.UtcNow.ToString(“o”))),
new JProperty(“System”, “APIM”),
new JProperty(“Code”, “1000”),
new JProperty(“ExtraDetail”, “Internal Server Error”),
new JProperty(“Description”, String.Format(“Source = {0}, Message = {1}, Reason = {2}”,
context.LastError.Source,
context.LastError.Message,
context.LastError.Reason
))
)))),
new JProperty(“ResultCode”, “Failed”)
))).ToString();
}</set-body>
</return-response>
</on-error>
</policies>