API Management - Hands-on Lab Script - part 7

Security

JSON Web Tokens (JWT)

JSON Web Tokens are an open-industry standard method for representing claims securely between two parties. More info at https://jwt.io/

In this lab, we are going to see how to use the token with your APIs

JSON Web Tokens (JWT) - validate

Open the Calculator API ‘Code View’

<!-- Inbound -->
<set-variable name="signingKey" value="123412341234123412341234" />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized">
    <issuer-signing-keys>
        <key>@((string)context.Variables["signingKey"])</key>
    </issuer-signing-keys>
</validate-jwt>

No JWT:

Valid JWT in the header:

Note the bearer token in the Request payload. Make sure your JWT token has an expiry date in the future.

JSON Web Tokens (JWT) - check a claim exists

<!-- Inbound -->
        <set-variable name="signingKey" value="123412341234123412341234" />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized">
            <issuer-signing-keys>
                <key>@((string)context.Variables["signingKey"])</key>
            </issuer-signing-keys>
            <required-claims>
                <claim name="admin" match="any">
                    <value>true</value>
                </claim>
            </required-claims>
        </validate-jwt>

Checking for admin claim:

Checking for adminx claim:

                <claim name="adminx" match="any">

JSON Web Tokens (JWT) - extract claim and pass to backend

<!-- Inbound -->
<set-header exists-action="override" name="username">
    <value>@{
        Jwt jwt;
        context.Request.Headers.GetValueOrDefault("Authorization","scheme param")
                            .Split(' ').Last().TryParseJwt(out jwt);
        return jwt.Claims.GetValueOrDefault("name", "?");
        }
    </value>
</set-header>

Claim in header Claim in trace

Managed Service Identity

In Azure, an Active Directory identity can be assigned to a managed resource such as an Azure Function, App Service or even an API Management instance. Once an identity is assigned, it has many capabilities to work with other resources that leverage Azure AD for authentication, much like a service principal.

Register API Management with Active Directory

Register APIM

Key Vault - Create Key Vault and add a secret

Create Key Vault

Key Vault - Access policy and principal assignment

Create an access policy

Create Key Vault

Select the Get operation from the list of Secret permissions

Create Key Vault

Select the principal and search for the name of your API Management instance

Create Key Vault

Create Key Vault

Remember to click Save

Create Key Vault

API Management, Key Vault and Managed Service Identity

New operation

<!-- Inbound -->
<base />
<send-request mode="new" response-variable-name="secretResponse" timeout="20" ignore-error="false">
    <set-url>https://{your-keyvault-base-uri}.azure.net/secrets/favoritePerson/?api-version=7.0</set-url>
    <set-method>GET</set-method>
    <authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
<set-variable name="favoritePersonRequest" value="@{
    var secret = ((IResponse)context.Variables["secretResponse"]).Body.As<JObject>();
    return "/people/" + secret["value"].ToString() + "/";
}" />
<rewrite-uri template="@((string)context.Variables["favoritePersonRequest"])" />

Test the operation


Home | Prev | Next