Share via

Protecting backend REST API with OIDC and Azure AD - API Mangement

azure202 1 Reputation point
2021-06-03T23:47:23.37+00:00

I want to protect an REST API based on .Net Code deployed in an App Service in Azure behind API Mangement with OIDC (authorization code and client cridential flow) using Azure AD.

What is best practice for authentication and validation?
Validate the JWT token in both the API code and in API Management ([api-management-howto-protect-backend-with-aad][1]) or only in one of the places?
The REST API is going to be restricted and only be accessible through API Management.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,129 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,795 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pramod Valavala 20,626 Reputation points Microsoft Employee
    2021-06-04T14:31:54.38+00:00

    @azure202 If the App Service is setup with IP Restrictions to allow requests only from APIM, then it would be OK to skip validation on the app side and just decode the token for claims.

    This approach has the added benefit of having one validation setup for multiple apps and prevents unauthorized requests from reaching your app in the first place.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.