Securing your API in API Management using OAuth 2.0

Azure’s API Management allows individual APIs to do a variety of things, one of which is securing an API with built-in authorization servers and JWT token validation.  This tutorial by Microsoft is a great resource for implementing the authorization server and getting your site secured.  However, it lacks one key: validating the Authorization header your sending to your API Management.

Validating the JWT authorization header

Once your authorization server is set up and you’re able to retrieve an access token, you may realize that you can still access your API with just a subscription key.  So what’s the deal?  The final step is to setup a policy rule that checks the JWT you’re sending and rejects the request if the access token is invalid.

Heading over to the policies for your API, this (simple) policy rule will check the bearer token:

<inbound>
...
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.windows.net/<name or GUID of your Azure directory>/.well-known/openid-configuration" />
</validate-jwt>
...
</inboud>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: