Is there anyone with experience in using Azure API Management, and in particular with validating JWT tokens sent to it using the policy model?
I've configured the <validate-jwt> tag properly, but my tokens are signed asymmetrically so I need to use the <openid-config> tag to let the system know where to get the public key.
And in doing so, the system will call to that url over SSL/TLS, but in my case the host is configure to offer SSL/TLS with a self-signed certificate.
Is there any way to disable this? I know the official docs mention disabling certificate validation when it comes to calling the backend APIs, but this is a front-facing API. And setting that doesn't seem to work.
I also tried abusing the declarative model of the policies, to somehow run C# code that disables that, but to no avail.
Does anyone know any other way of doing this? Either disabling the validation, or forcing trust with the self-signed certificate.
Thank you, and have a good one.
EDIT: This is how my configuration looks like:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="https" require-signed-tokens="true">
<openid-config url="https://identityserverhost/.well-known/openid-configuration" />
<audiences>
<audience>audience</audience>
</audiences>
<issuers>
<issuer>issuer</issuer>
</issuers>
</validate-jwt>
The https://identityserverhost is served over https, but with a self-signed certificate, if this makes it more clear.
I don't think it's possible at the moment, would be a good feature though. You could switch to http instead of https in openid-config, if you're comfortable with that.