Hi All,
Here I have a scenario where I have a API(microservice) that is in azure web apps that is being protected using JWT authentication. To fetch the bearer token(created based on tenantid, clientid etc) we have a api call that is public which has to be protected.
We have registered both client and api application on Azure AD. Now API Application is protected using Oauth authentication - JWT Bearer where as the Client application is not protected, that the reason we thought of introducing APIGEE proxy that can access the client application. How can we achieve this ?
Can we integrate APIGEE with Azure Active Directory ? If so, how it can be achieved ?
Thanks in advance.
Solved! Go to Solution.
I am not quite clear on the verbal description you provided, but.... I can offer some comments, and maybe it will help.
It seems that you have an existing setup in which a client app gets a token from AzureAD, and then presents it to the API (microservice). the Microservice verifies and validates the JWT and if valid, honors the inbound request. And now you want to do something similar for the client application. Yes, you can do that. The flow would look something like this.
The steps shown as A,B,C,D must happen before steps 1,2,3,4,5.
If Azure AD issues a JWT to the external client application, the external client can present it as a bearer token to an Apigee API. You can then use the VerifyJWT policy within the Apigee proxy to verify and validate the AAD-issued JWT. As part of that, Apigee will connect with AzureAD to retrieve the public keys necessary to validate the inbound JWT. (This is just standard JWT verification via JWKS). At this point Apigee has verified that the external client is bonafide, and is trusted by AzureAD.
some things to note:
If I am misunderstanding your question, I apologize.
I am not quite clear on the verbal description you provided, but.... I can offer some comments, and maybe it will help.
It seems that you have an existing setup in which a client app gets a token from AzureAD, and then presents it to the API (microservice). the Microservice verifies and validates the JWT and if valid, honors the inbound request. And now you want to do something similar for the client application. Yes, you can do that. The flow would look something like this.
The steps shown as A,B,C,D must happen before steps 1,2,3,4,5.
If Azure AD issues a JWT to the external client application, the external client can present it as a bearer token to an Apigee API. You can then use the VerifyJWT policy within the Apigee proxy to verify and validate the AAD-issued JWT. As part of that, Apigee will connect with AzureAD to retrieve the public keys necessary to validate the inbound JWT. (This is just standard JWT verification via JWKS). At this point Apigee has verified that the external client is bonafide, and is trusted by AzureAD.
some things to note:
If I am misunderstanding your question, I apologize.
Thank you so much for the help. Will try this out.
Hi Dchiesa,
I'm new to APIGEE, I was trying out the above mentioned approach and tried adding Validate_JWT policy in apigee proxy but getting below error:
May be the error is because of the algorithm mismatch. Im passing a token generated by RS256 alg. and the alg. mentioned in proxy api policy is HS256 alg.
Judging from this error message
Algorithm in header did not match any algorithm specified in Configuration: policy(Verify-JWT-1) algorithm(RS256)
...I think maybe you're right!
Did you try specifying RS256 in the VerifyJWT policy? That would seem to be the next logical step.
I tried it, but it didnt work for me. I got error while saving it. Got this below error
and even tried to find solution for this error in
https://docs.apigee.com/api-platform/troubleshoot/policies/deployment/verify-JWT-deployment-errors
It didnt work for me.
Yes, check the documents and the examples for the VerifyJWT policy. You need to specify a PublicKey if you are verifying a JWT that uses RS256. You may have copied a policy example that uses the algorithm HS256, which uses a SecretKey. If you verify a RS256-signed JWT, you need to specify the PublicKey element, and the example you copied won't work.
ok dchiesa, will try that out.