I want to configure fault handling on a VerifyJWT policy (as documented here) but the [prefix].[policy_name].failed variable seems to be null by the time the fault rule condition is checked.
Proxy configuration:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1"> <DisplayName>Verify JWT-1</DisplayName> <Algorithm>RS256</Algorithm> <PublicKey> <Value ref="publicKey"/> </PublicKey> </VerifyJWT>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ProxyEndpoint name="default"> <Description/> <FaultRules> <FaultRule name="JWT Policy Errors"> <Step> <Name>error-message</Name> <Condition>(fault.name Matches "TokenExpired")</Condition> </Step> <Condition>jwt.Verify-JWT-1.failed=true</Condition> </FaultRule> </FaultRules> <PreFlow name="PreFlow"> <Request> <Step> <Name>Verify-JWT-1</Name> </Step> </Request> <Response/> </PreFlow> <PostFlow name="PostFlow"> <Request/> <Response/> </PostFlow> <Flows/> <HTTPProxyConnection> <BasePath>/test</BasePath> <Properties/> <VirtualHost>default</VirtualHost> </HTTPProxyConnection> <RouteRule name="default"> <TargetEndpoint>default</TargetEndpoint> </RouteRule> </ProxyEndpoint>
Passing in an expired token yields the correct variable in the VerifyJWT policy itself:
But seems to be null when trying to evaluate the fault rule condition:
What am I missing here?
Thanks
Solved! Go to Solution.
Hmmm, maybe use "jwt.Verify-JWT-1.valid" in your Condition instead of "jwt.Verify-JWT-1.failed" ?
Hmmm, maybe use "jwt.Verify-JWT-1.valid" in your Condition instead of "jwt.Verify-JWT-1.failed" ?
Yes that works. Does the Verify JWT policy documentation need to be updated?
It says to use [prefix].[policy_name].failed but I don't see that in the trace session.
https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy#fault-variables
Thanks
YES, if the policy says it sets "failed", that appears to be incorrect. We'll get that changed.