Azure API Management: Configuring the JWT Validation Policy Correctly
Introduction
Azure API management provides a scalable API management platform that can be used for securing and publishing APIs. APIs published in Azure API Management can be secured using OAuth 2.0 authorisation with Azure AD. The key steps defined in the instructions for securing the APIs published in APIM are:
1. Setup 2 app registrations in Azure AD for the back-end and front-end apps
2. Enabling and configuring an OAuth 2.0 authorisation server in APIM
3. Configure the OAuth 2.0 server for the API
4. Add a JWT Validation Policy
In addition to securing APIs using OAuth 2.0 authorisation, you can also configure the APIs to require a valid subscription key. In APIM, subscriptions can be scoped to all APIs, a single API or an API product (a collection of API’s).
Scenario
I have a set of APIs published in Azure API Management and assigned to an APIM product. The requirement is to secure the APIs using OAuth 2.0 client credentials grant flow. In addition, a valid subscription key to access the APIs and a valid access token containing the expected roles are required.
Prerequisites
This scenario assumes that an APIM instance has already been created and at least one API has been published to the APIM instance and associated to an APIM product. If you already have an APIM instance and published APIs, you can skip this step. You will also require an Azure AD tenant.
I will use the PowerShell script in the APIM quick start documentation to set up an example that we can use in this blog post.
Protect the web API using OAuth 2.0 authorisation with Azure AD
The next step is to implement the OAuth 2.0 authorisation with the client credentials flow, following the detailed instructions described in the Microsoft documentation.
Set up two app registrations in Azure AD for the back-end and front-end apps
- Enable and configure an OAuth 2.0 authorisation server in APIM
- Configure the OAuth 2.0 server for the API
- Use the Validate JWT policy to pre-authorise requests in APIM
When setting up the Validate JWT policy, I configured it at the APIM product level. Below is an example of the policy. You will need to replace the tenant and ‘aud’ (Application ID of back-end apps) placeholders with real values.
Having implemented the changes, I test the API using Postman. Below is a summary of the results.
Table 1: JWT Validation policy configured at Product Level
When the subscription is scoped at the API level, the API request returns 200 OK responses when no authorisation header was provided, and an invalid access was provided. This shows that in some instances, an API can be accessed without providing a valid access token when the Validate JWT policy is set at the Product level. The product level policy is not evaluated in these instances.
I re-configured APIM, removed the policy from the APIM product and set it at the API level. This time, we get the expected results irrespective of whether the Subscription key is scoped at Product or API level.
Table 2: JWT Validation policy configured at API or All APIs Level
Conclusion
Azure API Management provides developers with the tools to secure APIs using OAuth 2.0 authorisation with Azure AD. As demonstrated, it is important that the Validate JWT policy is scoped at the API or All APIs level otherwise it is possible to access the data without a valid access token.
Thanks for reading, I’d be interested to hear your comments or opinions below, so feel free to share!
Are you looking for something new? The Capgemini Microsoft Apps & Cloud Engineering Team are hiring and looking for talented individuals to work with technologies similar to those in this post.
Take a look at our open roles here and consider joining the team.
