Azure API Management Role-based access control implementation
In computer systems security, role-based access control (RBAC)or role-based security is an approach to restricting system access to authorized users.
Recently I implemented the RBAC for our Web API managed in Azure APIM, using Azure AD. This Azure AD has inbuilt support for Role-based access control. We can achieve this by modifying the Application’s manifest file in Azure AD by adding custom roles. The application manifest contains a definition of all the attributes of an application object in the Microsoft identity platform. It also serves as a mechanism for updating the application object.
This article won’t cover the topic of configuring Web API using API Management supported by Azure Cloud. You can read more about that in this article on Microsoft documentation. To host and protect your APIs in Azure AD along with API Management service you need to create two Azure AD applications, one for backend application (resource Owner) and other for the client application (consumer).
Backend Application configuration for RBAC
Go to your Azure Active Direct => App registrations => Select your backend application.
Look for manifest in the left pane.
Click on the Manifest file and look for appRoles property.
This is the property, we will play with. Here we can add our custom App Roles.
The Azure AD Application supports two types of roles.
- Application Role
This type of role is for Applications that are interacting with your Application using Client Credentials Flow. No user is involved in this interaction, sometimes called machine-to-machine communication.
When we create an Application Role, there is no need for the assignment, but we need to Grant Admin Consent.
2. User Role
The User Role is actually what we are talking about Role-based access control. After adding a new User Role we need to assign that Role to a User. No Grant Admin consent is required in this case. While adding a new Role to the manifest file we can specify both types. Let's modify the added Application Role.
We are done with Backend Application configuration, we added one Role of type Application and User. For the User type role, we need to do a role assignment.
Go to Users and groups link from the left pane. And add a role assignment.
Select the user and role, as you can see from the above screenshot, I have only one app role added into my Application manifest file. After you are done with the assignment, you can see the assignments list.
Client Application configuration for RBAC
As I mentioned above, the User type Role only required user assignment, that we have already done from the backend Application service principal. But for Application type Role, we need to grant ‘Admin Consent’. We need to select added Application role definition.
Click on +Add a permission.
Click on the ‘Grant admin consent’ button on top.
If we don’t grant this permission when Application will consume our API, we won't able to see the Role in JWT token.
To verify, use Postman or any other client to generate a token, to see User type role use Implicit or Authorization flow, and to see Application role working use Client Credential flow.
Azure is providing Graph API to configure what we discussed here using REST API.
Please share your feedback in the comment section. Thanks.
