Validate multiple issuers in Azure APIM policy

2
votes

The company I work for has acquired multiple products over the years.
We've been developing a shared microservice ecosystem.
The products (currently) authenticate to different IDPs (e.g. Auth0, Azure B2C). The back-end microservices can handle multiple issuers just fine, but we also want to do authN checks at the API gateway - Azure APIM, and short-circuit if the JWT acces-token is invalid.

How do I validate multiple issuers in Azure APIM?

In the docs, I can see that I can specify multiple issuers, but there's only 1 openid-config. How would it be getting the public signing keys for multiple issuers if there's only 1 openid-config? Presumably it goes to this to get the JWKS endpoint and then the info to verify token signatures...

Here's part of the APIM (inbound) policy I'm talking about:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-signed-tokens="true">
    <openid-config url="https://example-company.au.auth0.com/.well-known/openid-configuration" />
    <audiences>
        <audience>test</audience>
        <audience>blah</audience>
    </audiences>
    <issuers>
        <issuer>https://example-company.au.auth0.com</issuer>
        <issuer>http://contoso.com/</issuer>
    </issuers>
</validate-jwt>
2
azureazure-api-management

2 Answers

1
votes

Just to clarify; the company I work for has multiple products and each product has a separate IDP and/or tenant - basically there's no cross over of uses between products.

The validate-jwt policy only allows 1 openid-config element, but for my scenario I've got multiple OpenId configs...

I managed to get around this by doing the following:

<choose>
    <when condition="@(context.Request.Headers.GetValueOrDefault("X-ProductCode","") == "XYZ")">
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-signed-tokens="true">
            <openid-config url="https://xyz.au.auth0.com/.well-known/openid-configuration" />
            <audiences>
                <audience>xyz-audience1</audience>
            </audiences>
        </validate-jwt>
    </when>
    <when condition="@(context.Request.Headers.GetValueOrDefault("X-ProductCode","") == "ABC")">
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-signed-tokens="true">
            <openid-config url="https://abc.au.auth0.com/.well-known/openid-configuration" />
            <audiences>
                <audience>abc-audience1</audience>
                <audience>abc-audience2</audience>
            </audiences>
        </validate-jwt>
    </when>
</choose>
0
votes

APIM does read full OpenID connect config and linked JWKS to get list of keys and valid issuers. At the same time the sample you have should work just fine as well, issuers from OIDC and explicitly specified will be combined.