I have an api endpoint which is being used by multiple public clients. And each client is configured with different clientids. I am using Authorization Code flow with Oauth2 openid protocol. I would like to introduce an Azure Apim service and would like to validate the jwt token before forwarding the request to apis. Could you please let me know how can i achieve this?
Note: I can't use single client id as redirect uri is different for each client.
You can use the Validate JWT policy to pre-authorize requests in API Management, by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it. For example, add the following policy to the <inbound> policy section of the Echo API. It checks the audience claim in an access token, and returns an error message if the token is not valid.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>{Application ID of backend-app}</value>
</claim>
</required-claims>
</validate-jwt>
For more details, you could refer to the article about Configure a JWT validation policy to pre-authorize requests
