This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

how can we integrate azure active directory with APIGEE ?

Posted on 07-20-2021 05:21 AM
anushreedesai17
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi All,

Here I have a scenario where I have a API(microservice) that is in azure web apps that is being protected using JWT authentication. To fetch the bearer token(created based on tenantid, clientid etc) we have a api call that is public which has to be protected.

 

anushreedesai17_0-1626783369262.png

We have registered both client and api application on Azure AD. Now API Application is protected using Oauth authentication - JWT Bearer where as the Client application is not protected, that the reason we thought of introducing APIGEE proxy that can access the client application.  How can we achieve this ? 


Can we integrate APIGEE with Azure Active Directory ? If so, how it can be achieved ?

 

Thanks in advance.

Solved Solved
1 7 2,015
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am not quite clear on the verbal description you provided, but.... I can offer some comments, and maybe it will help.

It seems that you have an existing setup in which a client app gets a token from AzureAD, and then presents it to the API (microservice). the Microservice verifies and validates the JWT and if valid, honors the inbound request.  And now you want to do something similar for the client application.  Yes, you can do that.  The flow would look something like this. 

screenshot-20210720-151744.png

The steps shown as A,B,C,D must happen before steps 1,2,3,4,5. 

If Azure AD issues a JWT to the external client application, the external client can present it as a bearer token to an Apigee API.  You can then use the VerifyJWT policy within the Apigee proxy to verify and validate the AAD-issued JWT.  As part of that, Apigee will connect with AzureAD to retrieve the public keys necessary to validate the inbound JWT.  (This is just standard JWT verification via JWKS).  At this point Apigee has verified that the external client is bonafide, and is trusted by AzureAD. 

some things to note: 

  • You need to make sure the token coming out of AzureAD is not intended for use by the Microsoft Graph API itself.  The scope claim should be something other than https://graph.microsoft.com/.default. For more on this see this github issue.
  • You still have the issue of trust between Apigee and the thing labeled as "client application" in your diagram.  Most customers use a combination of TLS certificates and IP range allowlists to establish that trust.

If I am misunderstanding your question, I apologize.

View solution in original post

Jump to Solution
7 REPLIES 7

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am not quite clear on the verbal description you provided, but.... I can offer some comments, and maybe it will help.

It seems that you have an existing setup in which a client app gets a token from AzureAD, and then presents it to the API (microservice). the Microservice verifies and validates the JWT and if valid, honors the inbound request.  And now you want to do something similar for the client application.  Yes, you can do that.  The flow would look something like this. 

screenshot-20210720-151744.png

The steps shown as A,B,C,D must happen before steps 1,2,3,4,5. 

If Azure AD issues a JWT to the external client application, the external client can present it as a bearer token to an Apigee API.  You can then use the VerifyJWT policy within the Apigee proxy to verify and validate the AAD-issued JWT.  As part of that, Apigee will connect with AzureAD to retrieve the public keys necessary to validate the inbound JWT.  (This is just standard JWT verification via JWKS).  At this point Apigee has verified that the external client is bonafide, and is trusted by AzureAD. 

some things to note: 

  • You need to make sure the token coming out of AzureAD is not intended for use by the Microsoft Graph API itself.  The scope claim should be something other than https://graph.microsoft.com/.default. For more on this see this github issue.
  • You still have the issue of trust between Apigee and the thing labeled as "client application" in your diagram.  Most customers use a combination of TLS certificates and IP range allowlists to establish that trust.

If I am misunderstanding your question, I apologize.

Jump to Solution

Posted on --/--/---- --:-- AM
anushreedesai17
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you so much for the help. Will try this out.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anushreedesai17
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dchiesa,

I'm new to APIGEE, I was trying out the above mentioned approach and tried adding Validate_JWT policy in apigee proxy but getting below error:

{
    "fault": {
        "faultstring": "Algorithm in header did not match any algorithm specified in Configuration: policy(Verify-JWT-1) algorithm(RS256)",
        "detail": {
            "errorcode": "steps.jwt.AlgorithmMismatch"
        }
    }
}
May be the error is because of the algorithm mismatch. Im passing a token generated by 
RS256 alg. and the alg. mentioned in proxy api policy is HS256 alg.
 
What I tried ?
I am trying to pass JWT token as a parameter which I obtained from Azure AD through client application to APIGEE proxy URL.
 
I followed steps from this link : https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy

Can you please help me out, how to validate Azure AD - jwt token in APIGEE? Step D, as mentioned in the diagram.
 
Thanks in Advance.
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to anushreedesai17
Reply posted on --/--/---- --:-- AM

May be the error is because of the algorithm mismatch. Im passing a token generated by RS256 alg. and the alg. mentioned in proxy api policy is HS256 alg.

Judging from this error message

Algorithm in header did not match any algorithm specified in Configuration: policy(Verify-JWT-1) algorithm(RS256)

...I think maybe you're right!

Did you try specifying RS256 in the VerifyJWT policy? That would seem to be the next logical step.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anushreedesai17
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I tried it, but it didnt work for me. I got error while saving it. Got this below error

anushreedesai17_0-1626875600453.png

and even tried to find solution for this error in 
https://docs.apigee.com/api-platform/troubleshoot/policies/deployment/verify-JWT-deployment-errors

It didnt work for me.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to anushreedesai17
Reply posted on --/--/---- --:-- AM

Yes, check the documents and the examples for the VerifyJWT policy. You need to specify a PublicKey if you are verifying a JWT that uses RS256. You may have copied a policy example that uses the algorithm HS256, which uses a SecretKey.  If you verify a  RS256-signed JWT, you need to specify the PublicKey element, and the example you copied won't work. 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
anushreedesai17
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

ok dchiesa, will try that out.

Jump to Solution
0 Likes
Top Solution Authors
View all