Aquiring JWT-Token from AAD via Azure API Management Gateway

1
votes

I have an API hosted in Azure (Web App). This API can't be accessed directory by every client (IP Restriction), and I am willing to use APIM to protect it.

Users will call the APIM-Gateway and the gateway should responds appropriately.

One big problem is authentication: I am protecting this API (The Backend API and not the APIM-Gateway endpoint) with AAD. So users should authenticate themselves against AAD and access the resources with no direct access to the backend.

Is it possible to implement such a scenario?

2
azureoauth-2.0azure-active-directoryazure-api-management
Could you elaborate on your problem?Vitaliy Kurokhtin
@VitaliyKurokhtin I have updated the question again. It was very hard to understand the first timemh133

2 Answers

0
votes

If you're fine with users authenticating against AAD then it's perfectly supported. With that model APIM may be used to just pass-through user requests to backend or you could use validate-jwt policy somewhere in request processing pipeline to validate users' tokens and authorize invoked actions.

APIM's authorization servers feature may be used to document that your APIs require AAD token from certain server. If this is done test console on developer portal will show controls to simplify getting token to make test calls to your APIs.

Normally APIM requires clients to pass subscription keys to authenticate and authorize calls. But if you're relying on AAD that may be not something you want - then you can use Open product to make your calls anonymous to APIM. validate-jwt policy can still be used to require certain token to be present with request.

There are various ways you can ensure that your backend is reachable only via APIM:

  1. Shared secret - set a special header in APIM policy and check it's value on backend.
  2. Client certificate authentication - APIM may be set up to attach client certificate to each request to backend that you will check at backend side to make sure that this is APIM making a call.
  3. VNET - APIM can join your VNET, while backend may be setup to accept calls only within VNET making it possible to be called only through APIM.
0
votes

I have used below approach in my recent project and used jwt validation to validate oauth2 token in policy Follow Microsoft document link https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.

Here is a quick overview of the steps:

  1. Register an application (backend-app) in Azure AD to represent the API.
  2. Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
  3. In Azure AD, grant permissions to allow the client-app to call the backend-app.
  4. Configure the Developer Console to call the API using OAuth 2.0 user authorization. (optional)
  5. Add the validate-jwt policy to validate the OAuth token for every incoming request.