Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Web Protection Profile - Mobile Application Identification - JWT Bearer

I'm trying to validate mobile requests to an api that use a JWT bearer authentication.  I've turned on Mobile Application Identification, set the Token Secret, set the Token Header to "Authorization" and added a Mobile API Protection policy.  The requests should be blocked when the given JWT token cannot be validated. 


The problem I have is this, all the requests use the format:



Authorization: bearer eyJhbG...



which is the standard format for HTTP authorization headers:

Authorization: <type> <credentials>


I cannot figure out how to get fortiweb to validate the credential part of the header.  If I send a request without specifying the type (bearer) like:



Authorization: eyJhbG...



fortiweb does in fact validate the token correctly, but of course the backend api can't process the authentication.  Anyone have any ideas on what I might be doing wrong or is this a limitation?  Seems like JWT validation should account for the fact the value contains "bearer <access_token>".

Community Manager
Community Manager

Hello mcdaniel,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.
Community Manager
Community Manager

Hello mcdaniel,


We are still looking for someone to help you.

We will come back to you ASAP.


Anthony-Fortinet Community Team.

Hi mcdaniel,


Please run the below debugs while perform testing:


diagnose debug reset
diagnose debug enable
diagnose debug timestamp enable
diagnose debug flow filter flow-detail 7
diagnose debug flow filter http-detail 7
diagnose debug flow module api-gateway 
debug flow trace start 

Post testing if you notice below error in the debugs:
[Api Gateway][Error]: (get_api_key_header:3397): Invalid Key length 

This is due to Key length Module currently support with 1024, The Key length would be increased in 7.4.3 version with maximum of 4096.


Top Kudoed Authors