Azure API management - oAuth is not working

Question

I am trying to access a service using Azure API management. I have enabled oAuth authentication on top of the service by using API's > Settings > Security and selexting oAuth 2.0. But Even after making this change, I am able to access the endpoints without providing any tokens. Am I missing anything ?

Answer 1

I did not add the JWT validation policy to pre-authorize requests

To add the policy select Design tab & click on </> icon (for policy code editor) under Inbound Processing & add following code:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/{aad-tenant}/v2.0/.well-known/openid-configuration" />
    <required-claims>
        <claim name="aud">
            <value>{backend-app-client-id}</value>
        </claim>
    </required-claims>
</validate-jwt>

After saving it make a new request.

Answer 2

I hope you have configured JWT policy could you please confirm ? if someone calls your API without a token or with an invalid token? For example, try to call the API without the Authorization header, the call will still go through.

This is because the API Management does not validate the access token, It simply passes the Authorization header to the back-end API.

To pre-Authorize requests, we can use Policy by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it.

reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests