Share via

How to Choose between APIM <get-authorization-context..> & <validate-azure-ad-token>?

Siegfried Heintze 1,906 Reputation points
2023-01-13T05:01:46.2666667+00:00

Previously ([https://learn.microsoft.com/en-us/answers/questions/1132295/azure-api-management-(apim)-restriction-policies-v) I learned that both <validate-jwt> and <validate-azure-ad-token> can be used to deny a user access to an APIM.

Since then I've been studying [https://learn.microsoft.com/en-us/azure/api-management/get-authorization-context-policy#examples and [https://learn.microsoft.com/en-us/azure/api-management/authorizations-how-to and I see here ([https://learn.microsoft.com/en-us/azure/api-management/api-management-policies#access-restriction-policies) that like <validate-jwt> (and therefor <validate-azure-ad-token>), <get-authorization-context> can be used to implement "Access Restriction Policies".

  1. Is this correct?
  2. It says "In this article, you learn how to create an authorization (preview) in API Management and call a GitHub API that requires an authorization token". Does this mean that this technique only allows me call functions implemented by identity providers like Google, Github and Facebook and if I wanted to use this technique to call my azure function, I would have to be an identity provider provider like Google, Github or Facebook?

Thanks

Siegfried

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,339 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,837 questions
0 comments
Accepted answer
  1. Gustavo Guerreiro Basilio Costa 80 Reputation points
    2023-02-10T19:56:40.8+00:00

    Good but the point is how is this error thrown? Is that a 401?

    Or is any kind of error regarding the policy and therefore I would have to know this error?

    When I use the trace to debug the access token renewal I get no error message except for a 401 in the end which does not tell me if it was caused by the policy or sent by the backend itself, did ou get it?

    The documentation and examples should have this shown.

    Anyway, I'm using client credentials, so I won't have a refresh token URL.

    OK for that. I get that I have to keep an eye on the error message. But if I don't know what kind of message is that, I cannot handle it.

    So far I'm just having this:

    get-authorization-context (6.499 ms)
"Using cache 'internal'."

get-authorization-context (595.598 ms)
{
    "message": "Obtaining managed identity token using clientId:f0da2222-67f1-4229-2202-eb2221369287 AAD Authority:https://login.windows.net/82222226-0477-4390-b86e-22222222222 for https://apihub.azure.com audience succeeded.",
    "errorResponse": null
}

get-authorization-context (621.931 ms)
{
    "message": "Obtaining managed identity token using clientId:f011113e-67f1-4b79-8d02-11111369287 AAD Authority:https://login.windows.net/82222226-0477-4390-b86e-22222222222 for https://azure-api.net/authorization-manager audience succeeded.",
    "errorResponse": null
}

get-authorization-context (5.845 ms)
{
    "message": "Sending request to authorization provider gateway.",
    "request": {
        "apimServiceName": "3333y",
        "providerId": "outsystems-oauth2",
        "authorizationId": "outsystems-oauth2",
        "identityType": "managed",
        "identityMetadata": "{ objectId: 441d34344500494, tenantId: 809f94a63434344353453a7 }",
        "correlationId": "9ad2432345d2"
    }
}

get-authorization-context (2,255.140 ms)
"Using cache 'internal'."

get-authorization-context (9.969 ms)
"Authorization context was added to 'auth-context' variable."

set-header (5.827 ms)
{
    "message": "Expression was successfully evaluated.",
    "expression": "((Authorization)context.Variables.GetValueOrDefault(\"auth-context\"))?.AccessToken",
    "value": "eyJhbGciOiJIUzI1NiIs-.-Njc1MTg5Mz-TR9.-P9Vw"
}

set-header (0.014 ms)
{
    "message": "Specified value was assigned to the header (see below).",
    "header": {
        "name": "Authorization",
        "value": "eyJhbGciOiJIUzI1NiIs-.-Njc1MTg5Mz-TR9.-P9Vw"
    }
}

    Which means I'm still getting a token, invalid though......

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 29,236 Reputation points
    2023-01-13T17:17:22.7566667+00:00

    Hi @Siegfried Heintze Thanks for reaching out. Yes get-authorization-context can also be used to implement access restriction policies.

    The <get-authorization-context> policy is used to extract the authorization context from an incoming request and make it available to the other policies in APIM. It is typically used in conjunction with other policies, such as <validate-jwt> and <validate-azure-ad-token>, to implement access restriction policies.

    The example in the doc demonstrates how to use the <get-authorization-context> policy to call a GitHub API that requires an authorization token. However, this can be used to call any API that requires an authorization token, regardless of whether the API is provided by an identity provider like Google, GitHub, or Facebook, or by a custom service like an Azure function.

    Do let me know if you have any queries.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.