I am trying to access a service using Azure API management. I have enabled oAuth authentication on top of the service by using API's > Settings > Security and selexting oAuth 2.0. But Even after making this change, I am able to access the endpoints without providing any tokens. Am I missing anything ?
I did not add the JWT validation policy to pre-authorize requests
To add the policy select Design tab & click on </> icon (for policy code editor) under Inbound Processing & add following code:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{aad-tenant}/v2.0/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>{backend-app-client-id}</value>
</claim>
</required-claims>
</validate-jwt>
After saving it make a new request.
I hope you have configured JWT policy could you please confirm ? if someone calls your API without a token or with an invalid token? For example, try to call the API without the Authorization header, the call will still go through.
This is because the API Management does not validate the access token, It simply passes the Authorization header to the back-end API.
To pre-Authorize requests, we can use Policy by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it.
aad-tenant is it the client id of client application (not the client id of backend-api/service)?
A user or application acquires a token from Azure AD with permissions that grant access to the backend-app. does it means I need to register a client app with Azure AD and then make calls to get token? If yes, where can I find that information ?