[Azure Api Management] How to forward Authorization Header to Backend

Question

[Azure Api Management] How to forward Authorization Header to Backend

Raphael Silva 0

Hello,

I configured my Api management instance to pre validate jwts with the validate-azure-ad-token policy, and it's working as expected.

But I also want to forward the same authorization token to the backend so it can also validate it and use information such as client id to generate logs.

Is that possible? If so how?

I've tried the set-header policy in the inbound config but with no success:

<set-header name="Authorization" exists-action="override">

    <value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value>

</set-header>

Loknathsatyasaivarma Mahali 810 Reputation points Microsoft External Staff

2025-03-13T19:29:14.5233333+00:00
Yes, it is possible to forward the Authorization header to the backend in Azure API Management. You can use the set-header policy in the inbound policy section to achieve this. Your current configuration seems correct, but ensure that it is placed in the right context and that there are no other policies that might be interfering with it.

Here’s an example of how to set the Authorization header:

<set-header name="Authorization" exists-action="override"> <value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value> </set-header>

Make sure this policy is placed before any policies that might alter or remove headers, and that it is within the <inbound> section of your API Management policy.

I hope this helps. If you have any further concerns or questions, please feel free to reach out to us.
Raphael Silva 0 Reputation points

2025-03-14T17:57:09.2966667+00:00

As I pointed in my original comment, I already did that and it did not work
Loknathsatyasaivarma Mahali 810 Reputation points Microsoft External Staff

2025-03-19T22:38:40.9566667+00:00

Hello Raphael Silva,

Just checking in to see if the information above was helpful. If you have any further updates on this issue, please feel free to post them here.

1 answer

Your answer

Loknathsatyasaivarma Mahali 810 Reputation points Microsoft External Staff

2025-03-13T19:29:14.5233333+00:00

Yes, it is possible to forward the Authorization header to the backend in Azure API Management. You can use the set-header policy in the inbound policy section to achieve this. Your current configuration seems correct, but ensure that it is placed in the right context and that there are no other policies that might be interfering with it.

Here’s an example of how to set the Authorization header:

<set-header name="Authorization" exists-action="override"> <value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value> </set-header>

Make sure this policy is placed before any policies that might alter or remove headers, and that it is within the <inbound> section of your API Management policy.

I hope this helps. If you have any further concerns or questions, please feel free to reach out to us.
Raphael Silva 0 Reputation points

2025-03-14T17:57:09.2966667+00:00

As I pointed in my original comment, I already did that and it did not work
Loknathsatyasaivarma Mahali 810 Reputation points Microsoft External Staff

2025-03-19T22:38:40.9566667+00:00

Hello Raphael Silva,

Just checking in to see if the information above was helpful. If you have any further updates on this issue, please feel free to post them here.

Answer 1

Loknathsatyasaivarma Mahali 810 Microsoft External Staff

Hello Raphael Silva,

One possible solution is to use the forward-request policy instead of set-header. The forward-request policy allows you to forward the entire incoming request, including all headers (such as the Authorization token), directly to the backend service. Here’s an example of how you can use the forward-request policy: <forward-request />

By using the forward-request policy, you can pass the entire request—including the authorization token—onto the backend for further validation and logging purposes.

Make sure the forward-request policy is placed in the inbound section of your API Management policy configuration.

If you encounter any issues or need further assistance with this approach, feel free to let me know. It would also be helpful if you could share any specific error messages or details you're encountering so I can provide a more targeted solution.

Loknathsatyasaivarma Mahali 810 Reputation points Microsoft External Staff

2025-03-21T01:22:33.43+00:00

Hello Raphael Silva,

Just checking in to see if the above provided information helps you in better understanding and solve your concerns, if you have further concerns, please feel free to drop them here.

Share via

[Azure Api Management] How to forward Authorization Header to Backend

1 answer

Your answer