Securing Azure Function using JWT tokens and Azure APIM
There are ways to secure your API or Backend services running on cloud.
If you are using Azure API Management, there are different options available like OAuth 2.0 or Certificates. Today we are discussing securing backend by OAuth 2.0 in Azure API Management.
Azure API Management is a reverse proxy that sits between your backend API/Service and Front-End Application. Once you configure your API on Azure API Management you will get a Base address that represent your API, you request your service consume r to use the API by that address only.
Here your API Management receives the request from the consumer and passes it to the actual API. In between API Management can analyze the request and approve or reject it, depends on how you configured it.
API Management provides predefine Policies, which you can configure for different business requirement.
You can also use the Policy for access restriction and authentication. That means you can authorize a request using an external authorizer (like Azure Active Directory) or use any other expression to implement your own business logic.
Now as the API Management comes with its own URL, you need to ensure that your Web API / Azure Function should not be called directly.
We will use Azure Active Directory (Identity Provider and Authentication by JWT), Azure Functions (HTTP Triggered Demo API) and Azure APIM Instance.
I am going to tell you how I did it, what challenges I faced and how to fix those issues. I am sure you can experiment with my finding and share your experiences.
Problem Statement: – There is a Web API which needs to be secured using Azure Active Directory JWT authorization.
Prerequisite: –
· Azure Active Directory Instance
· Web API – An HTTP Triggered Azure Function to simulate a simple unsecured web API
· APIM Instance
What we are going to do: –
· Step 1: – Use Azure Active Directory Instance and register a Web API Application
· Step 2: – On APIM Instance configure OAuth 2.0 Provider in using Azure Active Directory application
· Step 3: – Create an HTTP Triggered Azure Function to simulate a simple unsecured web API
· Step 4: – Configure the Azure Function in the APIM instance.
· Step 5: – Test the changes with Postman
Step 1: – First let’s register a web application/web API in the Azure Active Directory Instance
1. Click on the New registration, let’s name our web/Api as “aadWebAPIReg”
2. After registration -> In the application Certificates & secrete blade -> Create a secrete key and copy it to a notepad file for later use.
3. Expose an API blade – >
a. Generation Application ID URI –>Click on Set button
b. Save the Application ID URI
c. Add a Scope ->Select a consent
d. Give some meaningful name -> I am giving user_impersonation_aad_api and click on the save button
Copy the Scope: –
api://3fc6f513-4cfa-4a28-96b4-85662739f834/user_impersonation_aad_api
4. On the Manifest blade: – Set Manifest Token Version to 2 and save your changes, will explain the reason for this change later in the discussion.
5. Overview blade: -Take out End Point from your AAD for later use- Copy End point for V2 Version- OAuth 2.0 authorization endpoint (v2), OAuth 2.0 token endpoint (v2) and OpenID Connect metadata document
6. For now, we are not setting any Redirect URL in the Authentication blade, we will set it later once we complete the configuration in the APIM instance
Step 2: – Go to APIM – Security Settings -> OAuth2.0 ->
1. Click on Add button
2. Add Display Name and other fields, set Client Registration Page URL to http://localhost as we are not going to provide any user management/registration related functionality for now.
3. Set Authorization grant types to Authorization Code
4. Set Authorization URL End point to your active directory V2 authorization endpoint discussed in Step1.5 of Application Registration in Azure Active Directory
5. Set Default scope – created in Step1-3.d . This will be the Scope of your AAD website.
6. Client Id -Will be your AAD Application Id and Secret will be the Secrete you created in Step1.2
7. Copy the redirect_URI (none-editable) – This URL you need to add/allow in the AAD Web authentication tab of Step1.6.
8. Leave Resource owner username & Resource owner password blank
9. Click on the create button
10. This will complete the OAuth2.0 configuration related work.
Step 3: – Let’s quickly create an http triggered Azure Function
1. You can follow the basic steps on the MSDN site- https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-azure-function on how to create a simple Azure Function.
2. Copy the Azure Function URL and try to access the link in the browser, it will show you the result without any authentication.
Step 4: – Configure Azure Function URL in APIM instance.
1. To bring the API under AAD JWT authentication click on API blade on Azure API Management instance
2. Select Azure Function and corresponding blades to select the recently created function
3. Provide few details and click on create –
4. Once you add the Azure Function URL, you will see the below page, will list all the functions of selected API
5. Click on Setting tab-> Scroll down to Security Settings and select OAuth 2.0 and select the Server that we added in Step 2, click save.
6. At this point you can invoke your API without authorization using the API Management URL or from the Developer Portal and give it a try.
7. To get that URL, go to the Developer Portal, later we will add a policy to validate the JWT token.
8. You may get this error, if you didn’t added the Redirect URL in the Azure Active Directory Application that’s generated in Step 2.7
9. These are steps to register the OAuth 2.0 to AAD web application
10. We copied the redirect_URI of APIM Step 2.7.
11. Add that URL in the AAD Web that we registered earlier.
12. Select Access Token
13. Now we can try again our Api from Developer portal – As I’ve already logged in, and select the Authorization Code from drop down, system will automatically add the authorization toke in the request
14. Invoking this request may raise a 401 error of missing subscription key error
15. To fix this instantly bring this API to some product from the API -Settings
16. Once you do this you will see Ocp-Apim-Subscription-Key will appear in the Developer portal
17. Select Authorization from the drop down (activeDirectoryAuth) and click on send button.
18. If you followed all the steps correctly you will get the 200 response from your API.
19. You can test it from the postman, your API won’t create any issue.
20. We are using the same subscription key in the header and correct param, we can invoke it successfully, yet we didn’t add the JWT token at this stage, why so? Why we are not getting any authentication error?
21. This is because we hosted our API on the Azure APIM however we are not validating it at the time of serving the request from APIM, so latest quickly add a JWT validation.
22. To do that go to the APIM->API blade and select your API ->Design tab ->Inbound Processing ->Policies </>
23. In the Inbound Policies section add the below xml-
24. You need Azure Active Directory Endpoint of OpenID Connect metadata document -– copy it, and application Id of your application.
25. It will look like this- Click on Save to save your changes.
26. Now your API is protected by Azure Active Directory JWT token.
27. If we try the same request from the Postman again it will response in 401 error – “Unauthorized. Access token is missing or invalid.”
28. Let’s add an JWT token in the Postman and try it again.
29. Go to the developer portal and copy the Authorization token and copy it in the Postman request header where you have Subscription Key.
30. If you followed along with me correctly you will get response from the API with the JWT Authentication header
31. Congratulations!!! You have done it, now your API is secured.
Important Consideration –
On Step1.4, we updated the Azure Active Directory web application manifest and set the property “accessTokenAcceptedVersion” value to 2. The reason is when you register your application, value of “accessTokenAcceptedVersion” set to null by default, that supports v1.0 of access token.
If you noticed, we used all the endpoint URL of V2.0, OpenID Connect metadata document – https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-fd32xxxxxxxx/v2.0/.well-known/openid-configuration
OAuth 2.0 authorization endpoint (v2)
OAuth 2.0 token endpoint (v2)
If your requirement is of V1.0, you need to use all V1.0 URL’s and remove V2.0 of the OpenID Connect metadata document URL – https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-fd32xxxxxxxx/.well-known/openid-configuration
Along with it also update then manifest version to null or 1.
Happy Coding.
Reference:- https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
My Tracks 
