3

I am trying to use APIM to send a request through to a back-end App Service which requires the client to be authorised with roles. When I connect directly to the App Service with an App Registration with the roles this works as expected or when I send via APIM without using Managed Identity for the authorisation.

I would like to be able to have the Athorisation header replaced using the System Assinged Managed Identity but when it adds the new bearer token it is missing the roles section when I inspect the JWT Token in jwt.io.

The policy looks like this: `

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Missing Token or Invalid one yo!">
            <openid-config url="https://login.microsoftonline.com/{my_tenant}/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>api://{my_backend_app_reg}</value>
                </claim>
                <claim name="roles" match="any" separator=",">
                    <value>{my_role}</value>
                </claim>
            </required-claims>
        </validate-jwt>
        <set-header name="ClientAppRegId" exists-action="override">
<value>@(context.Request.Headers.GetValueOrDefault("Authorization").AsJwt()?.Claims.GetValueOrDefault("appid"))</value>
        </set-header>
        <set-header name="Ocp-Apim-Subscriptionkey" exists-action="delete" />
        <set-header name="Authorization" exists-action="delete" />
        <authentication-managed-identity resource="api://{my_backend_app_reg}" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

`

Have ensured the App Registration that seems to be tied to the APIM Managed Identity has the roles set within the API permissions section and confirmed when sending via Postman/Insomnia that the roles are in the returned token when manually requested.

Have checked the token used in the trace and it looks almost the same but missing the roles section.

My back-end service then authenticates as expected but then fails at the authorisation on the controllers as the roles are not present in the token

Taylor Cullen
  • 31
  • 1
  • I'm trying to do the same, I noticed in this tutorial (https://jan-v.nl/post/2020/using-application-roles-for-authentication-in-your-services) that the screenshot of the Enterprise Application shows the app role for the service principal. It doesn't do that for me. Not sure if this is due to using a free AzureAD to test this with. – LeonG Jul 13 '23 at 09:29

0 Answers0