Azure APIM get-authorization-context returns cached expired token

EdmondTangCPower-2520 20

I have a credential provider with two connections setup identically, however the original connection began to return an expired token a month ago and has been doing that ever since with the exact same issued and expiration date of when this problem first started. Here is the snippet of the APIM trace from the problematic connection:

User's image

What I've noticed comparing the traces between the connections is the non-problematic connection is taking additional steps to obtain the managed identity token, then sending the request to the authorization provider gateway. I've deleted the credential provider and connection and recreated with the same name and it's still returning the same dates. Any input would be greatly appreciated. Thanks!

The inbound policy. User's image

Ranashekar Guda 575 Reputation points Microsoft External Staff

2025-01-27T07:04:47.99+00:00
Hi @EdmondTangCPower-2520,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

It seems that the issue with the expired token being returned by the problematic connection could be related to how the access tokens are cached and refreshed in Azure API Management (APIM). According to the documentation, in the classic and v2 service tiers, the access token is cached until 3 minutes before the expiration time. If the access token is less than 3 minutes away from expiration, it will be cached until it expires.

If the connection is consistently returning the same expired token, it might indicate that the refresh process is not being triggered correctly. The get-authorization-context policy is responsible for validating the existing authorization token and fetching new tokens if the current one has expired. If this policy is not executing as expected, it could lead to the behavior you're observing.

Here are a few steps you might consider troubleshooting further:

Ensure that the get-authorization-context policy is correctly configured for the problematic connection.

Check if there are any access policies that might be affecting the ability to refresh the token.

Verify that the credential provider and connection settings are identical and that there are no hidden differences.

Monitor the logs for any errors or warnings that might indicate issues with token retrieval.

Also, for your reference and better understanding please do check the below link:

https://learn.microsoft.com/en-us/azure/api-management/credentials-overview#security-considerations

I hope the information provided clarifies your issue. If you have any further concerns, please do not hesitate to reach out to us.
Ranashekar Guda 575 Reputation points Microsoft External Staff

2025-01-28T05:37:03.16+00:00

Hi @EdmondTangCPower-2520 ,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Ranashekar Guda 575 Reputation points Microsoft External Staff

2025-01-29T06:15:11.2466667+00:00

Hi @EdmondTangCPower-2520,

If you found the response helpful, please click Accept Answer and Yes for the provided answer. This will help other community members with similar issues find the solution more easily.
Ian Reid 0 Reputation points

2025-01-29T11:53:21.6866667+00:00

Hi Edmond, did you find an answer to this issue? We are experiencing the same problem.
Thanks
EdmondTangCPower-2520 20 Reputation points

2025-03-02T16:59:02.6333333+00:00

Hi @Ranashekar Guda ,

I've gone through the troubleshooting steps but have a question on #3 to find hidden differences. Where would I be able to find the differences? I've tried Azure Resource Explorer. The problematic one was created using Terraform and I want to compare the differences. Our APIM gets over 600 requests per minute, does that mean each request also counts as an authorization request? Would this limit cause the get-authorization-context policy to fail? We are using ClientCredentials, will the policy still get a refresh token?

Thanks!
EdmondTangCPower-2520 20 Reputation points

2025-03-02T17:07:51.15+00:00

Hi Ian, unfortunately no. We are still troubleshooting this issue and having to create new connections every several weeks.
Ranashekar Guda 575 Reputation points Microsoft External Staff

2025-03-04T11:39:26.5733333+00:00

Hi @EdmondTangCPower-2520,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Ranashekar Guda 575 Reputation points Microsoft External Staff

2025-03-03T12:31:56.4666667+00:00

Hi @EdmondTangCPower-2520,

To compare the configurations, use Azure Resource Explorer or export them to JSON files and compare with a diff tool. You can also use Terraform’s terraform plan and terraform show commands.

Regarding authorization requests, each API Management (APIM) request needing authorization counts as one. If your APIM instance is handling over 600 requests per minute, consider using the limit-concurrency policy to avoid overloading the authorization provider.

In the ClientCredentials flow, refresh tokens aren't issued. Instead, the client should request a new access token when the current one expires.

I hope this clarifies your issue. Feel free to reach out if you have any further concerns.
Please sign in to rate this answer.
Ranashekar Guda 575 Reputation points Microsoft External Staff

2025-03-05T11:44:56.39+00:00

Hi @EdmondTangCPower-2520,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure APIM get-authorization-context returns cached expired token

1 answer

Your answer