I'm unclear on whether I've missed something with the way API Management Gateway/Azure Function communications work. Initial requests are supposed to contain a JWT which contains server-signed assertions related to user roles.
Within APIM/Azure Functions, there is the concept of a 'shared secret' used to authenticate B2B communications. Which means that some level of trust occurs between the two systems.
Obviously, I could implement JWT validation in both places, but I cannot find any documentation from Microsoft or similar that says 'here's how you're supposed to do it.'.
CodePudding user response:
• There is no official documentation from Microsoft regarding JWT validation in APIM as most of the documentation is related to the policies regarding the usage of authentication, access restriction, caching, cross-domain, distributed application runtime, integration, transformation, etc. in APIM
. But you surely can refer to the link below which is no less than a documentation that explains elaborately how the policies in APIM can be used to achieve the results for various operations defined in the workspace.
https://azure.github.io/apim-lab/apim-lab/7-security/apimanagement-7-1-JWT-Validation.html
• According to the above link, JWT validation happens at the Azure B2B end as the token issued to the app service is validated against the configured authorization and access policies defined while granting access to perform the required operations for the app service. For your confirmation purpose, you can add a validate the JWT policy for the concerned app service in your APIM
as given in the below link to confirm the source where the JWT validation happens. For that purpose, you will need an orchestration app like ‘Postman’ and create a corresponding app registration in Azure AD
for the correct validation results: -
https://carldesouza.com/adding-a-validate-jwt-policy-to-azure-api-management/
In the above links, you will get an overall understanding of the various parameters which are included and need to validate in the payload, header, and signature section to ensure that the JWT is a genuine one.