I have a few APIs (Logic Apps, Functions) that I want to expose through Azure API Management. They work fine, so I decided to add OAuth2 autorization.
I followed step by step https://docs.microsoft.com/fr-fr/azure/api-management/api-management-howto-protect-backend-with-aad:
- Register an application (backend-app) in Azure AD to represent the API.
- Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
- In Azure AD, grant permissions to allow the client-app to call the backend-app.
- Configure the Developer Console to call the API using OAuth 2.0 user authorization.
- Add the validate-jwt policy to validate the OAuth token for every incoming request.
- Also use Postman to test
Everything works until the "validate-jwt" policy step. When I add it, I get a "401 - Unauthorized. Access token is missing or invalid." I can get the token, in Developer Console and Postman, but as soon as I do the API call... 401!
When I used jwt.ms to check the content of the token, I noticed that the aud param has nothing to do with the backend Application ID. The value in the token is "00000003-0000-0000-c000-000000000000", whereas the backend app ID is like "16caXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXc0".
I'm running out of ideas and need the help of some Azure gurus out there! Help would be very much appreciated...
Here below the inbound policy as per the MS doc:
<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/MY_AD_TENANT_ID/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>MY8BACKEND_APP_ID_GUID</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
<on-error />
</policies>
