VerifyJWT Policy fault variable not available

I want to configure fault handling on a VerifyJWT policy (as documented here) but the [prefix].[policy_name].failed variable seems to be null by the time the fault rule condition is checked.

Proxy configuration:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1">
    <DisplayName>Verify JWT-1</DisplayName>
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <Value ref="publicKey"/>
    </PublicKey>
</VerifyJWT>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <Description/>
    <FaultRules>
        <FaultRule name="JWT Policy Errors">
            <Step>
                <Name>error-message</Name>
                <Condition>(fault.name Matches "TokenExpired")</Condition>
            </Step>
            <Condition>jwt.Verify-JWT-1.failed=true</Condition>
        </FaultRule>
    </FaultRules>
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>Verify-JWT-1</Name>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
    <Flows/>
    <HTTPProxyConnection>
        <BasePath>/test</BasePath>
        <Properties/>
        <VirtualHost>default</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>

Passing in an expired token yields the correct variable in the VerifyJWT policy itself:

7410-apigee1.png

But seems to be null when trying to evaluate the fault rule condition:

7411-apigee2.png

What am I missing here?

Thanks

Solved Solved
1 3 276
1 ACCEPTED SOLUTION

Hmmm, maybe use "jwt.Verify-JWT-1.valid" in your Condition instead of "jwt.Verify-JWT-1.failed" ?

View solution in original post

3 REPLIES 3

Hmmm, maybe use "jwt.Verify-JWT-1.valid" in your Condition instead of "jwt.Verify-JWT-1.failed" ?

Yes that works. Does the Verify JWT policy documentation need to be updated?

It says to use [prefix].[policy_name].failed but I don't see that in the trace session.


https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy#fault-variables

Thanks

YES, if the policy says it sets "failed", that appears to be incorrect. We'll get that changed.