Azure’s API Management allows individual APIs to do a variety of things, one of which is securing an API with built-in authorization servers and JWT token validation. This tutorial by Microsoft is a great resource for implementing the authorization server and getting your site secured. However, it lacks one key: validating the Authorization header your sending to your API Management.
Validating the JWT authorization header
Once your authorization server is set up and you’re able to retrieve an access token, you may realize that you can still access your API with just a subscription key. So what’s the deal? The final step is to setup a policy rule that checks the JWT you’re sending and rejects the request if the access token is invalid.
Heading over to the policies for your API, this (simple) policy rule will check the bearer token:
<inbound> ... <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid."> <openid-config url="https://login.windows.net/<name or GUID of your Azure directory>/.well-known/openid-configuration" /> </validate-jwt> ... </inboud>