Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Web Protection Profile - Mobile Application Identification - JWT Bearer

I'm trying to validate mobile requests to an api that use a JWT bearer authentication.  I've turned on Mobile Application Identification, set the Token Secret, set the Token Header to "Authorization" and added a Mobile API Protection policy.  The requests should be blocked when the given JWT token cannot be validated. 


The problem I have is this, all the requests use the format:



Authorization: bearer eyJhbG...



which is the standard format for HTTP authorization headers:

Authorization: <type> <credentials>


I cannot figure out how to get fortiweb to validate the credential part of the header.  If I send a request without specifying the type (bearer) like:



Authorization: eyJhbG...



fortiweb does in fact validate the token correctly, but of course the backend api can't process the authentication.  Anyone have any ideas on what I might be doing wrong or is this a limitation?  Seems like JWT validation should account for the fact the value contains "bearer <access_token>".

Community Manager
Community Manager

Hello mcdaniel,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.
Community Manager
Community Manager

Hello mcdaniel,


We are still looking for someone to help you.

We will come back to you ASAP.


Anthony-Fortinet Community Team.

Hi mcdaniel,


Please run the below debugs while perform testing:


diagnose debug reset
diagnose debug enable
diagnose debug timestamp enable
diagnose debug flow filter flow-detail 7
diagnose debug flow filter http-detail 7
diagnose debug flow module api-gateway 
debug flow trace start 

Post testing if you notice below error in the debugs:
[Api Gateway][Error]: (get_api_key_header:3397): Invalid Key length 

This is due to Key length Module currently support with 1024, The Key length would be increased in 7.4.3 version with maximum of 4096.



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors