I'm working in Azure, where our Web App calls the APIM with the request, and then the APIM calls the WebApi to fulfill the request.
We're hitting a 500 error when we try to call one of the APIs set up, and when drilling down to the error in the browser (below is "Error message") (Inspect -> Network), it shows the error message coming from a validate-jwt policy set up for the apim (a product-public.policy.xml):
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error message" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="{{validauthorityissuer}}/.well-known/openid-configuration" />
<issuer-signing-keys>
<key>Base64 Encoded Key</key>
</issuer-signing-keys>
<audiences>
<audience>{{WebAppId}}</audience>
</audiences>
<issuers>
<issuer>{{validauthorityissuer}}</issuer>
</issuers>
</validate-jwt>
</inbound>
At first glance it looks like the issuer-signing-key is the problem, as it looks to be just a placeholder string.
To confirm it may be this causing the problem, I did a test in APIM, and got the following message: { "code": "401", "type": "AAD Authorization", "message": "No token provided to access the resource.", "developerMessage": "Missing or badly formatted access token", "moreInfo": null }
This leads me to believe even more that the problem is the issuer-signing-keys.
My question is, where do I obtain the issuer-signing-key? Haven't been able to find much help online and through documentation.
Second question would be, assuming I get the key, would I have to convert it to base64, then paste it where it currently says "Base64 Encoded Key"?
