skip to Main Content

I am trying to access a service using Azure API management. I have enabled oAuth authentication on top of the service by using API’s > Settings > Security and selexting oAuth 2.0. But Even after making this change, I am able to access the endpoints without providing any tokens. Am I missing anything ?

enter image description here

2

Answers


  1. Chosen as BEST ANSWER

    I did not add the JWT validation policy to pre-authorize requests

    To add the policy select Design tab & click on </> icon (for policy code editor) under Inbound Processing & add following code:

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
        <openid-config url="https://login.microsoftonline.com/{aad-tenant}/v2.0/.well-known/openid-configuration" />
        <required-claims>
            <claim name="aud">
                <value>{backend-app-client-id}</value>
            </claim>
        </required-claims>
    </validate-jwt>
    

    enter image description here

    After saving it make a new request.

    enter image description here


  2. I hope you have configured JWT policy could you please confirm ?
    if someone calls your API without a token or with an invalid token? For example, try to call the API without the Authorization header, the call will still go through.

    This is because the API Management does not validate the access token, It simply passes the Authorization header to the back-end API.

    To pre-Authorize requests, we can use Policy by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it.

    reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search