25,129 questions
API Call through Entra Application Proxy to Secured On-Premise API
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 48%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Jonathan Gallant
0
Reputation points
Is there a method to make an API call through the Entra Application Proxy to an on-premise API secured with Microsoft.Identity.Web Framework, while ensuring that the JWT token is passed from the proxy to the API?
The goal is to call a secured API from an Android app located outside the network. The API is on-premise and secured using the Microsoft.Identity.Web Framework, with endpoints configured to validate a JWT token from Entra ID. When generating a token (e.g., using Postman), the API call to the secured API on the internal network is successful.
However, after publishing the API using Entra Application Proxy, calling the secured API with a token results in a "401 Unauthorized" error. Unsecured endpoint calls work as expected. While changing pre-auth to passthrough resolves the issue, it effectively replicates a direct API call.
Upon inspecting the headers, it's evident that the authorization header is dropped by the Entra App Proxy, leading to the 401 error. Attempts to establish Header SSO did not yield the configured headers on either secured or unsecured endpoints. Although a custom header with the Entra ID token can be added to make the API call, this approach poses security risks. Securing the connection between the connector and the API is a possible interim solution.
Other than Header-based SSO, what are the recommended methods for making an API call through Entra Application Proxy to a secured on-premise API, with a focus on securely passing the JWT token from the proxy to the API? Should I implement a different method of authentication/authorization in the api?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator2025-04-13T19:26:51.9766667+00:00 Hello @Jonathan Gallant,
If you would like to change the authentication protocol other than Header-based SSO, you can integrate your application Forms- or password-based authentication or SAML authentication to secure your API.
https://learn.microsoft.com/en-us/entra/identity/app-proxy/overview-what-is-app-proxy#authentication
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 9%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Sandhya Chinamanagonda 0 Reputation points2025-04-14T02:56:26.4+00:00 Hi Raja i am getting this error
<h3>Authentication failed</h3><p>IDX21329: RequireState is 'True' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.</p><pre> at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateState(OpenIdConnectProtocolValidationContext validationContext)at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__1a.MoveNext()</pre>
-
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator
2025-04-16T19:56:31.8433333+00:00 Hello @Sandhya Chinamanagonda,
This kind of error message will occur when your VS was using http protocol for localhost. You can resolve this by configuring https for localhost. The trailing mail will have the details of the configuration required to force the application to use https while debugging in VS locally.
-
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator
2025-04-16T19:57:19.7966667+00:00 Hello @Jonathan Gallant,
Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Sign in to comment
Sign in to answer