Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
706 questions
How to Access APIM API from Azure Function with Managed Identity without OAuth authentication call
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 53%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Dixan Lal Thomas
60
Reputation points
I have created a function app to call an API from APIM and I have added security of Auth 2.0 in the API settings. Also I have added Managed identity to the function app , and added that managed identity in APIM IAM to give API Management Service Reader role. If I call the APIM API from postman with An Auth token I'm able to access the API and retrieve the data .
Is it possible to call the API in APIM without Auth 2.0 as I have given API Management Service Reader role for the function app.
While calling the API from function app with managed identity getting below UnAuthorized Error .I need to bypass the Authentication Token as it is Azure resources and in same resource group.
I don't want to make a separate API call for Token from function App fro accessing the API.
var tokenCredential = new DefaultAzureCredential();
var accessToken = await tokenCredential.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { "https://management.azure.com/.default" }));
_logger.LogInformation("Attempting to acquire token...");
accessToken = await tokenCredential.GetTokenAsync(tokenRequestContext);
_logger.LogInformation($"Access Token: {accessToken.Token}");
// Use the acquired token to authenticate the request to APIM
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken.Token);
var response = await httpClient.GetAsync(apimEndpoint);
Is it possibel to acheive this anyway?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Ben Gimblett 4,530 Reputation points Microsoft Employee2024-07-02T15:23:10.61+00:00 Hi Dixan thanks for the question
There's a few things here
*The oauth settings in APIM are for allowing the developer portal (or Azure portal) test console to obtain a valid oauth token when testing the API through APIM. The test console acts as the client (you could of course use postman or something else, the concept is the same)
*The RBAC role is for the control plane. So if your function is intended to "control" APIM in some way or needs access to the control plane setting the role is valid. If however you want to create a token towards APIM to call a backend API (data plane) you should not assign a control plane rolebefore commenting further could you provide me of some details of the backend API and how it's setup through APIM. Is the backend API (you call via APIM from the function app) the audience , is the token for that App?
Or, is the token for APIM and you'll use some other kind of security towards the actual backend API (for example certificate, basic, something else)?This document is a good over-arching starting point https://learn.microsoft.com/en-us/azure/api-management/authentication-authorization-overview
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Megha KG 0 Reputation points2024-07-03T07:08:09.9166667+00:00 We are using https://petstore.swagger.io/v2 as the Backend URL for testing purpose and it doesn't have an Authentication as it's an open API.
We have created an App registration and we are using AppRegistration's ClientId,ClientSecret,Scope and GrantType values in Postman to retrieve the data from APIM.
But In Azure function, We don't want to make a separate API call for Microsoft Token API to get the Auth Token. Instead we need to bypass the Token. Is there any way to do this.Below is the code we are using to validate Auth Token in APIM:
-
Ben Gimblett 4,530 Reputation points Microsoft Employee
2024-07-03T13:36:13.83+00:00 By creating the app registration and by implementing the policy (here "validate-azure-ad-token") you're enforcing that incoming calls are protected by a token
you would still need to ensure that the backend call (that is APIM to the backend) is protected
it doesnt make sense to bypass the token for a given client - auth/authz if implemented at a backend then it is for security. There are other options available, if you dont want to use oauth you could for example use client cert auth (mTLS)
Using an api key from the client (subscription key in APIM) although less secure, it's a single "fact" may be sufficient for your use case
You could also request a token for a user managed identity assigned to your function and send this token towards APIM
If you do this then you need to ensure you validate the "oid" claim within APIM so you're sure you're accepting the correct user assigned MSI. But you wont have any other authorization claims (pertaining to what the function can actually do in terms of calling the backend api)Either way, acquiring a token as you are (or via an MSI) if you use Microsoft identity then the package will look after caching etc and makes acquiring the token very straight forwards.
Sign in to comment
Sign in to answer