Specify audience parameter in Azure API Management Oauth2 Service

0
votes

I'm trying to set up an Oauth2 authentication service in Azure API Management in order to authenticate users in our Auth0 identity provider in the Developer Portal.
However I'm not able to configure the Oauth2 service to pass the audience parameter in order to get a JWT-token (now only an Opaque token is returned).

I've create a new Oath2 service in the Azure portal, with specified audience in the "Additional body parameters" section:

enter image description here

Next, I've added the Oath2 Service to the API:

enter image description here

Next, when I try to test the API in the developer portal I'm only getting an Opaque token:

enter image description here

I would expect that audience would be included when specified in the "Additional parameters" section, but that does not seem to be working.
So I wonder if it's something I'm doing wrong here.

2
oauth-2.0auth0azure-api-management

2 Answers

0
votes

You can configure jwt validator policy to work with reference/opaque tokens.

Policy statement

<inbound>
  <!-- Extract Token from Authorization header parameter -->
  <set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />

  <!-- Send request to Token Server to validate token (see RFC 7662) -->
  <send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
    <set-url>https://microsoft-apiappec990ad4c76641c6aea22f566efc5a4e.azurewebsites.net/introspection</set-url>
    <set-method>POST</set-method>
    <set-header name="Authorization" exists-action="override">
      <value>basic dXNlcm5hbWU6cGFzc3dvcmQ=</value>
    </set-header>
    <set-header name="Content-Type" exists-action="override">
      <value>application/x-www-form-urlencoded</value>
    </set-header>
    <set-body>@($"token={(string)context.Variables["token"]}")</set-body>
  </send-request>

  <choose>
        <!-- Check active property in response -->
        <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
            <!-- Return 401 Unauthorized with http-problem payload -->
            <return-response>
                <set-status code="401" reason="Unauthorized" />
                <set-header name="WWW-Authenticate" exists-action="override">
                    <value>Bearer error="invalid_token"</value>
                </set-header>
            </return-response>
        </when>
    </choose>
  <base />
</inbound>

You can decode the token at https://jwt.io/ and reverify it with the validate-jwt policy used in inbound section: For example:

The Audience in the decoded token payload should match to the claim section of the validate-jwt policy:

enter image description here

You can refer to open GitHub issue at Jwt validation policy with reference tokens?, Verify a reference token with an authorization server, Authenticate Azure API Management with OAuth2 using Azure AD and Protect API's using OAuth 2.0 in APIM

0
votes

Our solution to this problem was to set the "Default Audience" under "Settings" in Auth0:

enter image description here

This way, Auth0 will use the Default Audience as a fallback when no audience is supplied in the request.