Multiple Authentication policies in Azure APIM - azure

I have two scenarios where in first client will call the APIM with bearer token and other one is Function App will call our APIM with Managed identity. I have the code which will validate the jwt. but I want to know how can I skip the other one if either one is available(e.g I want to skip the jwt validation if its get called with managed Identity). From examples I can see I can do a choose and when but not sure what will be the headers for the managed identity. Here is what I am thinking I should be updating.
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("Authorization","") != "")">
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Invalid or Expired token" require-expiration-time="true" require-signed-tokens="true">
<openid-config url=".well-known/openid-configuration" />
<audiences>
<audience>audience</audience>
</audiences>
<issuers>
<issuer>issuer</issuer>
</issuers>
</validate-jwt>
</when>
<when condition="to validate managed identity">
<authentication-managed-identity resource="resource" client-id="clientid of user-assigned identity" output-token-variable-name="token-variable" ignore-error="true|false"/>
</when>
</choose>

For this requirement, I think there isn't any difference between the two request(request APIM with bearer token directly and request APIM from function app by managed identity). Both of them will provide a bearer token in header(Authorization) of the request.
You can refer to this document about calling APIM from function app according to managed identity. You can find the lines of code shown as below in the document which are used to get access token and set the token in header when request APIM.
var azureServiceTokenProvider = new AzureServiceTokenProvider(identity);
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(target,tenantID);
wc.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
So the second request scenario is same with the first request scenario. We can not distinguish them in APIM policy before <validate-jwt>. To implement your requirement, I think you can add a property into the header of the two requests and then check the header in APIM policy. For example, in function app code, you can add a header like below:
httpClient.DefaultRequestHeaders.Add("comeFrom", "fromFunApp");
Then check the header in policy:
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("comeFrom","") != "fromFunApp" && context.Request.Headers.GetValueOrDefault("Authorization","") != "")">
..............

Related

Azure APIM Validate JWT based on two different claims

I am trying to create a policy in Azure APIM to validate JWT Tokens (Azure AD tokens) based on two different claims.
My API may be consumed by either other applications or users - it may be called from an user context or an application context. As such, the token might contain either the "scp" claim e.g. user_impersonation or "roles" claim like [ "CallApiAsAnApp" ].
From the documentation, I have not found any way to do this. Is this possible or do I have to implement custom code to do this at the API level? Any claims added to "required-claims" in the policy become mandatory. There doesn't seem to be any "match-any" option at the claims level, only values level.
In the end, the only way I could find to fix the issue is to use the choose element instead of validate-jwt, with custom code (which is what I was hoping to avoid any way). Basically I am saving the validated JWT Token to a variable and then using if / elseif to determine if the token is acceptable. Working relevant configuration below
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-scheme="Bearer" output-token-variable-name="valid-jwt">
<openid-config url="https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration" />
<issuers>
<issuer>https://sts.windows.net/tenantid/</issuer>
</issuers>
</validate-jwt>
<choose>
<when condition="#{
var jwt = (Jwt)context.Variables["valid-jwt"];
if(jwt.Claims.ContainsKey("roles")){
var roles = jwt.Claims["roles"];
return !Array.Exists(roles, element => element == "MyRoleName");
} else if (jwt.Claims.ContainsKey("scp")){
var scp = jwt.Claims["scp"];
return !Array.Exists(scp, element => element == "user_impersonation");
} else { return true; }
}">
<return-response>
<set-status code="401" reason="Unauthorized" />
</return-response>
</when>
<otherwise />
</choose>
As you mentioned the token may contain either the scp cllaim or roles claim, it seems your token sometimes generated in "Delegated" type and sometimes generated in "Application" type. You just need to configure the <validate-jwt> policy like below screenshot, add both of the claims in it and choose "Any claim".
After that, the token can be validated if it just contain one claim.
By the way, please check if your tokens in two situations have same "Audiences", otherwise your requirement may not be implemented by the configuration above.

Use Azure App Service Authentication to log into Api Management Service

I was able to setup Azure Active Directory (aad) to authenticate users for the App Service running an angular front-end, now I want to secure the backend by allowing only this authenticated users to send requests to the Api Management Service endpoint.
So, I followed this article https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad and I am facing 2 major problems:
The /.auth/me endpoint only returns an id_token, not an access_token
When I try with postman, I keep on getting invalid audience, but postman uses an audience that looks like 00000-00000...
Here's the api management service inbound request policy jwt-validate:
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="failed message">
<openid-config url="https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration" />
<audiences>
<audience>{app-id-uri}></audience>
</audiences>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
For your first problem:
Actually, it can just response id token when you request the /.auth/me endpoint because you just implement login but not specify a resource(or a backend app/api protected by AD) in your app service. So the response contains id token and without access token.
If you want to get access token when you request /.auth/me endpoint, you need to specify the resource in your app service. Here I assume you have already registered an app in Azure AD to represent your APIM. Then you can use the Resource Explore to modify the settings like below:
1 . locate your app service
2 . locate the config->authsettings (the resource below is the client id of the app you registered to represent your APIM)
"additionalLoginParams": [
"response_type=code id_token",
"resource=3fa9607b-63cc-4050-82b7-91e44ff1df38"
],
3 . config the redirect_uri for Azure app like below:
https://yourapp.azurewebsites.net/.auth/login/aad/callback
Then after you login in the angular app, you can get the access_token via the endpoint:
https://yourapp.azurewebsites.net/.auth/me
The steps above come from this post, you can also refer to it for detail information.
For your second problem:
When you request the APIM api in postman, you should put the access token in the request header. And you mentioned that the access token which you used in postman contains the audience like 00000-00000... But in your validate-jwt policy, you use:
<audiences>
<audience>{app-id-uri}</audience>
</audiences>
It seems {app-id-uri} is not only a id but should be a uri like: api://00000-00000.... So please change {app-id-uri} from uri format to id format (just remove api://).

Azure Apim authentication for apis

I have an api endpoint which is being used by multiple public clients. And each client is configured with different clientids. I am using Authorization Code flow with Oauth2 openid protocol. I would like to introduce an Azure Apim service and would like to validate the jwt token before forwarding the request to apis. Could you please let me know how can i achieve this?
Note: I can't use single client id as redirect uri is different for each client.
You can use the Validate JWT policy to pre-authorize requests in API Management, by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it. For example, add the following policy to the <inbound> policy section of the Echo API. It checks the audience claim in an access token, and returns an error message if the token is not valid.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>{Application ID of backend-app}</value>
</claim>
</required-claims>
</validate-jwt>
For more details, you could refer to the article about Configure a JWT validation policy to pre-authorize requests

Azure API Management: authorization with Oauth2 401 gives "Unauthorized. Access token is missing or invalid."

I have a few APIs (Logic Apps, Functions) that I want to expose through Azure API Management.
They work fine, so I decided to add OAuth2 autorization.
I followed step by step https://learn.microsoft.com/fr-fr/azure/api-management/api-management-howto-protect-backend-with-aad:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Also use Postman to test
Everything works until the "validate-jwt" policy step.
When I add it, I get a "401 - Unauthorized. Access token is missing or invalid."
I can get the token, in Developer Console and Postman, but as soon as I do the API call... 401!
When I used jwt.ms to check the content of the token, I noticed that the aud param has nothing to do with the backend Application ID.
The value in the token is "00000003-0000-0000-c000-000000000000", whereas the backend app ID is like "16caXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXc0".
I'm running out of ideas and need the help of some Azure gurus out there!
Help would be very much appreciated...
Here below the inbound policy as per the MS doc:
<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/MY_AD_TENANT_ID/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>MY8BACKEND_APP_ID_GUID</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
<on-error />
</policies>
Screen cap of the Postman screen where I get the token (this works, but then when I send the request --> 401)
Screen cap of aud param in jwt.ms
I had some problems with validating Azure AD tokens a couple of years back - see my write up.
I suspect the problem is the nonce in the JWT header.
You're not really required to check value of aud parameter. You could remove required-claims alltogether, this way token presence and signature would still be validated. If you want to make sure that token was issued for your app, just find the claim that contains app id and use it in name="..." to match against your app id value.
if using v2 version endpoint, go to -> azure ad -> app registration -> select backend-app -> manifest -> update property "accessTokenAcceptedVersion": 2,"

JWT validation failure error in azure apim

I am currently trying to implement Oauth2.0 to protect API using below documentation
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
And currently using the DEMO CONFERENCE API provide by azure apim to test the implementation.
And currently receiving error during test in developer portal as :
"message": "JWT Validation Failed: Claim value mismatch: aud=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx.."
Compared the token passed with the claim value by decoding it and its matching.
I have the jwt token validation policy as below
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid." require-expiration-time="false" require-signed-tokens="false">
<openid-config url="https://login.microsoftonline.com/xxxxxxxxx-07c8-xxxxx-xxxx-xxxxxxxxx/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="all" separator="-">
<value>xxxxxxxx-xxxxx-489e-a26e-xxxxxxxx</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
First, you need to validate your JWT token. Then when we register an application its getting registered with version V1 and Access token issuer comes with sts url and if we try to pass Access Token with V2 its failed V2 issuer is login.microsoft.com.
So fix is to go in manifest file "accessTokenAcceptedVersion": 2 for registered applications in AD. Refer to this issue.

Resources