I am a bit confused in understanding the relationship between oAuth2.0 and validating jwt tokens with inbound policies in azure APIM. Are they altogether different or What additional security it applies when applied together. What if I just applied inbound policies for validating JWT tokens without oAuth2.0 configuration?
CodePudding user response:
AFAIK, the process of using OAuth 2.0 authorization for APIM to protect APIs is:
- Registering the App in Azure AD and granting the users to access the API from it with a valid OAuth token.
- That token is added in the Authorization header of APIM's API requests.
- That token can be validated using the
validate-jwtpolicy by APIM.
This Validate JWT policy is used to pre-authorize requests in APIM.
As Will told in the comment, validate-JWT policy enforces a JSON web token's existence and validity came from either a specified query parameter or a HTTP Header.
Please refer to the article that contains practical workaround for configuring the JWT validation policy at product level, API Level and All APIs level which explains that the OAuth 2.0 implementation is required to protect the APIs more securely.
CodePudding user response:
validate-jwt policy is what actually enforces the token.
Associating API with OAuth/OpenID connect server achieves presence of corresponding metadata in API when you export it and enabled authentication UI in Developer portal, so that your customers can easily test your API.
If you're relying on APIM to validate JWT both are useful. But the latter is also useful in case when it is your backend and not APIM doing the validation.