I see from Microsoft Docs, they provide only these 3 basic, certificate and MSI in the policy. https://learn.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#AuthenticationPolicies
Does that mean I can not accomplish the OIDC?
SHORT ANSWER: No changes in API Management if you are changing the authentication of API Consumers with Backend API.
Long Answer explaining how authentication policies are not related to API consumer authentication is given below.
Basic Concept
API Management is in the middle of your API and your consumer.
From terminology perspective, your API in this case is called as Backend API. Frontend API is the URL of API management, which can be shared with your consumer.
Refer this page for further basic terminology about API Management.
In my opinion, there are two different questions: one about consumer OAuth authentication and other about which authentication policy is required to be configured in APIM.
Consumer Authentication
So, if you want your consumer to get authenticated using JWT Authentication or OAuth authentication, the flow is simple. The consumer will get the authentication token from the identity service and then use that token to call your API.
As long as you do not modify it using API Management policies, it should work. API Management is not required to know the Authority or any other details about authority.
APIM Authentication Policies
Based on your design, you can choose if Backend API (i.e. the API which you hosted in APIM) should have logic to authenticate the Frontend API - to ensure that only known party is calling your API.
As per documentation, you can configure :
Basic Authentication policy and send username and password with every request to backend API
Certificate authentication policy and send certificate thumbprint with every request to backend API
Managed Identity to use Azure AD authentication.
All these three policies just help your backend API to ensure the identity of the caller (i.e. APIM Fronend API in this case). This has nothing to do with Consumer Authentication and OAuth.
For ex. You can set up your API in such a way that consumer needs to get authenticated using Facebook authentication. And in addition, you can have certificate authentication to identify that only valid APIM instance is redirecting the consumer request from Frontend API to Backend API.
Hope this clarifies.
As the article said:
If your backend API is already secured with OAuth2.0 using any platform, then the API consumers should pass the Authorization header to the API management.
You do not need to add any policy in the API Management. The header would be sent by API Consumer and API Management would send the same header to the Backend API.
Use basic authentication and set header manually.
<authentication-basic username="username" password="password" />
<set-header name="Authorization" exists-action="override">
<value>#("Bearer " + (string)context.Variables["token"])</value>
</set-header>
Related
I have two projects in a solution. One is .net core 3.0 based Web API. Next is Angular 9 SPA. I've been asked to setup Azure AD based authentication. So I enabled that in API.
But I am seriously confused where it actually requires to enable? Client App or API? or Both?
Since your client needs to call the API, it needs to authenticate to it.
And since the API requires AAD tokens, your client will need to acquire one.
So you need to implement Azure AD authentication in your client application and in the API.
The client's job is to authenticate the user with Azure AD and acquire an access token for the API.
It then adds that token as a header on each request:
Authorization: Bearer token-goes-here
The API then validates that token on each request.
I'm enabling OAuth2 for my Azure API Management instance. I click Add to add OAuth2, and it's asking me to enter name, and description of authorization service, so my thinking is I am creating an authorization service here.
Why is it asking me to provide client id, client secret, resource owner user, and resource owner password. I understand the concepts of OAuth2 and how these are used, but I am setting up API Management to handle OAuth2 authorization, so the job of the Authorization server will be to validate authorization codes and client secrets. The clients will have their own Client IDs and Client Secrets. Resource Owner should be an Azure AD identity with it's own user name and password.
Why, when I am setting up the authorization server for API Management is it asking me to enter Client ID and Client Secret as well as Resource Owner credentials. It doesn't make sense to me. Can someone explain?
So....what gives? Am I in the wrong screen because API Management
APIM can't be used as OAuth server. The only reason at the moment to configure OAuth/OIDC server in APIM is to make sure it's included into exported specification of an API and that developer portal has a convenient UI to let users obtain tokens, nothing else. That's why it's expected to provide client id and secret, because APIM is effectively a client.
Step 1 : Choose an OAuth provider such as Auth0
Step 2 : Configure various OAuth scenarios as API's in your OAuth provider (API is the term Auth0 uses, other providers might refer to them with other terms)
Step 3 : Create APIM OAuth 2 records, filling in the fields in your question (client id, client secret). Create a record for each API you have configured in your OAuth provider (in Step 2).
Step 4 : In the APIM edit the details of the various API's choosing the appropriate OAuth record you setup in Step 3. Here you are choosing the OAuth scenario for each of your APIs. Many APIs may use the same scenario, but obviously an individual APIM API entry can only link to 1 OAuth scenario
Thus you have configured various APIs in the APIM against various OAuth scenarios. Usually the details behind the OAuth setup are invisible to the API and are so setup and exposed only by their ClientID, secret and urls for token and authorise.
Auth0 has a good tutorial for seting up Azure APIM: HERE
apim should have it's own identity. Have you created an app registration for the instance? The credentials from the app reg on aad used will identify apim and allow validation of the token.
I have an API hosted in Azure (Web App). This API can't be accessed directory by every client (IP Restriction), and I am willing to use APIM to protect it.
Users will call the APIM-Gateway and the gateway should responds appropriately.
One big problem is authentication: I am protecting this API (The Backend API and not the APIM-Gateway endpoint) with AAD.
So users should authenticate themselves against AAD and access the resources with no direct access to the backend.
Is it possible to implement such a scenario?
If you're fine with users authenticating against AAD then it's perfectly supported. With that model APIM may be used to just pass-through user requests to backend or you could use validate-jwt policy somewhere in request processing pipeline to validate users' tokens and authorize invoked actions.
APIM's authorization servers feature may be used to document that your APIs require AAD token from certain server. If this is done test console on developer portal will show controls to simplify getting token to make test calls to your APIs.
Normally APIM requires clients to pass subscription keys to authenticate and authorize calls. But if you're relying on AAD that may be not something you want - then you can use Open product to make your calls anonymous to APIM. validate-jwt policy can still be used to require certain token to be present with request.
There are various ways you can ensure that your backend is reachable only via APIM:
Shared secret - set a special header in APIM policy and check it's value on backend.
Client certificate authentication - APIM may be set up to attach client certificate to each request to backend that you will check at backend side to make sure that this is APIM making a call.
VNET - APIM can join your VNET, while backend may be setup to accept calls only within VNET making it possible to be called only through APIM.
I have used below approach in my recent project and used jwt validation to validate oauth2 token in policy
Follow Microsoft document link https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.
Here is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization. (optional)
Add the validate-jwt policy to validate the OAuth token for every incoming request.
I have an API Management resource on Azure which uses an API running as a Kubernetes cluster.
I want to have OAuth2.0 authentication for clients/applications which connect to the API management URL. I do not want any user authentication, but only want clients which want to use the URL to send a client ID and client Secret.
How do I do this?
I could not find anything related to this in the documentation.
If you dont want user context to be involved, You must prepare client credential flow from Oauth2.0 which uses client id and client secret.
I am explaining using Azure AD.
1) Create Application in Azure AD and get client id and secret
(https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/)
2) Call token end point of Azure AD to get secured token
(https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
3) Pass this token to APIM using authorize or from any header
4) Validate JWT and check issuer,audience and application level scopes
(https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)
No sure what exactly are you asking!
But here are two places where you will find a solution to your question:
How to secure your backend apis: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
API Management access restriction policies: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies. More specific here check the Validate JWT (https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)
I have an API APP deployed in Azure & I put on Azure Active Directory Authentication. I need that API APP should be accessible outside.(The people who are not using Azure)
I have added that API APP into Api Management Service to use policy & authorize API.
Is any way to do that? Can I use Client Id & client secret to authenticate API APP
Yes, you can use send-request (https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SendRequest) policy as a part of request processing to call into AAD with client id and secret and obtain authentication token to attach to ongoing request. Works best with implicit oauth flow since it requires only single HTTP call.