Azure API Management Policy to acquire and forward JWT token to the backend from Azure AD
Introduction:
Azure API Management is a powerful tool for managing APIs and implementing policies to control access, security, and performance. One common scenario is to secure APIs using Azure Active Directory (Azure AD) authentication and authorization. In this article, we will explore how to add a policy in Azure API Management to fetch an app registration token from Azure AD and add it to the backend request. This can help to secure your APIs by validating the identity of the calling application and authorizing access based on the app registration permissions.
Prerequisites:
Before getting started, you will need the following prerequisites:
- An Azure subscription with API Management service and Azure AD tenant
- An Azure AD app registration with client ID, client secret, and API permissions
- A backend API that requires authentication and authorization using Azure AD app registration token
Step 1: Create an Azure AD app registration
The first step is to create an Azure AD app registration with the required permissions to access your backend API.
This can be done through the Azure portal by navigating to Azure Active Directory > App registrations and clicking on the New registration button.
Provide a name for your app registration and select the appropriate options for the supported account types, redirect URI, and other settings. Once the app registration is created, note down the client ID, client secret, and API permissions.
Step 2: Create an API Management policy
The next step is to create an API Management policy that fetches the app registration token from Azure AD and adds it to the backend request. This can be done by editing the inbound policy of your API in API Management and adding the following code snippet:
<inbound>
<base />
<set-variable name="client_id" value="YOUR_CLIENT_ID" />
<set-variable name="client_secret" value="YOUR_CLIENT_SECRET" />
<set-variable name="resource" value="YOUR_RESOURCE_URI" />
<set-variable name="grant_type" value="client_credentials" />
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body template="request-body">
grant_type={{context.Variables["grant_type"]}}&client_id={{context.Variables["client_id"]}}&client_secret={{context.Variables["client_secret"]}}&resource={{context.Variables["resource"]}}
</set-body>
<send-request mode="new" response-variable-name="tokenResponse" timeout="20" ignore-error="false">
<set-url>{{context.Variables["auth_url"]}}</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@(string.Join("&", ((System.Net.Http.HttpContent)context.Variables["requestBody"]).ReadAsStringAsync().Result.Split('&').Select(x => x.Split('=').First() + "=" + Uri.EscapeDataString(x.Split('=').Last()))))</set-body>
</send-request>
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + ((IResponse)context.Variables["tokenResponse"]).Body.As<JObject>()["access_token"].ToString())</value>
</set-header>
</inbound>Replace the placeholders with the actual values for your Azure AD app registration, backend API resource URI, and authorization endpoint. The policy will fetch an app registration token using the client ID and client secret, and add it to the backend request as an Authorization header.
Step 3: Apply the policy to your API
The final step is to apply the policy to your API in API Management.
