1
votes

I have deployed an application on Azure kubernetes without authentication and I have the Azure API management in front of the API.

How do I use the Azure API management to authenticate kubernetes APIs?

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration" />
    <audiences>
        <audience>25eef6e4-c905-4a07-8eb4-0d08d5df8b3f</audience>
    </audiences>
    <required-claims>
        <claim name="id" match="all">
            <value>insert claim here</value>
        </claim>
    </required-claims>
</validate-jwt>
1

1 Answers

3
votes

How are you authenticating your APIM url?

Here is a raw way of achieving authentication

  1. Generate a JwT from Azure AD (this could be your Web UI)
  2. Enable OAuth2 for your APIM
  3. While calling APIM from your UI JwT token will be passed
  4. Upon receiving the token at the APIM, create an inbound policy to Validate the JwT https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies
  5. Once the JwT is validated call the backend Kubernetes deployed endpoints.
  6. You may want to restrict your ingress controller to only accept traffic from the APIM
  7. Your http context will contain the user information from the JwT token at the api endpoint
  8. If you want you can further use this info from #7 at your middleware time write your custom auth logic.