We are working on a system where we have YARP as a gateway and several APIs for different data domains. The APIs are protected with Azure AD. Using MSAL (Microsoft.Identity.Web) is easy as there are many examples of how to protect APIs or Web Apps. The APIs are called from different types of clients (SPA, CLI apps, web apps, etc...), and with different flows. Now, one of the requirements is that YARP works as a first line of defense, and for this we want YARP to validate the JWTs that are sent through each of the protected routes, that is, we want to authenticate and authorize each call. Although the authority (IdP) for all the APIs is the same, Azure AD, not all of them are registered in the same tenant and of course, the client-Id (audience) is different for each API. Has anyone had to implement something similar? Note: We don't want to validate specific scopes per route and in terms of authorization it is enough to validate that the user is authenticated.
How to validate the audience in the YARP routes?
393 Views Asked by EmilioV At
1
There are 1 best solutions below
Related Questions in AZURE-ACTIVE-DIRECTORY
- How to authenticate only Local and Guest users in Azure AD B2C and add custom claims in token?
- Microsoft Entra ID - How to delete a tenant?
- Azure AD guest account in web app authentication user claims data
- Handling errors in MSAL Redirect - reactjs login with microsoft sso
- Azure Cross Cloud Auth using AAD
- Get id token from the access token
- Microsoft Identity does not work in docker desktop
- how to get refresh token in msal-browser Azure AD B2C login?
- Local DX for service-to-service authentication based on Managed Identities in Azure
- How can I add an identity provider to an existing user in an AWS Cognito user pool using the OIDC protocol?
- Azure B2C MFA custom policy flow 'try another way'
- How can I protect an Java Spring boot API against Azure AD B2C if I only have an id_token?
- Is there any way to get a new Azure CLI token without logging out?
- Code a Delegated Permission in Azure Powershell
- Service Principals I create are not being created as mine
Related Questions in AZURE-AD-MSAL
- Azure AD B2C login getting error The redirect URI 'localhost:3001' provided in the request is not registered
- Azure AD B2C login with Microsoft identity provider error: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- Unable to use MSAL Desktop Apps that use localhost from Azure Storage Explorer and SQL Server Mgmt Studio
- MSAL: Session data corrupted - redirect_uri mismatch
- Does the go Azure AD MSAL library support PoP OAuth?
- Graph API to access Business Central using Application Client Credentials
- Need to pass custom claims to B2C Custom Policy from a React Application
- Should you implement a custom RemoteAuthenticatorView Blazor WASM
- Authenticate Power BI Reports via Node & NextJS
- How to prevent Login in AD B2C based on an extension claim type using User Flows
- Nested Routes Issue with React Router
- Error comes when Installing MSAL to Angular App
- Azure AD Auth, Angular & .NET API with Graph: MSAL.UiRequiredException Fix?
- Get back deleted applications starting with 'dev' client-certificate authentication
- Handling refresh tokens in Azure (Microsoft graph) delegation flow
Related Questions in MICROSOFT-IDENTITY-WEB
- Microsoft Identity does not work in docker desktop
- Generate token console for Intune datawarehouse
- Multiple Bearer Authentication Schemes in ASP.NET Core Using Microsoft.Identity.Web
- The issuer '(null)' is invalid
- Securing Controllers in ASPNET Core with Azure Ad and Azure AD B2C
- Outlook authentication with new MSAL library authorization code flow, On behalf of
- Unable to make Microsoft Graph API request in ASP.NET Core with Microsoft Identity for authentication
- IdentityServer with inheritance design. Update-database error
- Adding claims for roles in a token obtained using MSAL?
- Microsoft Identity with local account and mobile apps
- How to validate the audience in the YARP routes?
- Can I create my own UI project for C# Identity pages?
- How to redirect to a specific web page after sign out from Entra ID
- What are the actual configuration options when calling AddMicrosoftIdentityWebApi(IConfiguration.GetSection());
- how I can dynamically load AzureAdB2C settings based on URL
Related Questions in MS-YARP
- Intermittent request failure when using YARP Proxy (Downstream Service Responds in Milliseconds)
- YARP proxy with Redisinsight
- Can I preserve subdomain with Yarp?
- Is there any method to bind localhost + port to custom hostname
- publishing a web app consisting of an asp.net core project and an asp.net framework project
- Docker-compose not working with localhost redirect
- YARP - Change route matching configs at runtime
- YARP using OIDC fails to authenticate users, never returns from GetConfigurationAsync
- How to set up Kestrel to serve two different web apps on different relative paths?
- Excluding Swagger from YARP routing
- Incremental NET core upgrade for multiple sites that have the same code deployed running on IIS
- .NET Core Identity cookie cannot be verified by another .NET API using database-stored DataProtectionKeys
- Can we dynamically turn yarp on and off?
- System.Web.HttpContext.Session is null with SystemWebAdapters v1.3.0 on .NET 8 yarp incremental upgrade
- How to add credentials authorization when using yarp reverse proxy
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
The scenario you're describing – where a reverse proxy or gateway is responsible for validating JWT tokens before forwarding requests to various microservices or APIs – is not uncommon. YARP is designed to be highly customizable, and with .NET's middleware pipeline, you can integrate JWT validation.
I am describing below an approach we had used in one of the projects.
1. Set Up Azure AD with Multiple Apps
We had multiple Azure AD Apps, So we had different
issuerandaudiencevalues for JWT validation based on these Azure AD apps. Which is fine.2. We Implemented JWT Validation in YARP using C# and .NET
Middleware to Validate JWT: In the YARP pipeline, we injected a middleware to inspect the
Authorizationheader of the incoming request and validate the JWT token.Something like below
We used values for the issuer, audience, and signing key as hard coded in above. In a your scenario, you may need a more dynamic approach where these values change based on which API the request is targeting. This could involve maintaining a configuration or map of API paths to their corresponding Azure AD settings, and fetching them dynamically in the middleware.