Enabled OAuth2 in API Management but still can access the API without providing Authorization header

San Chea 1 Reputation point

Hi everyone, I am working on protecting API in APIM by using OAuth2 with AAD following this official doc, https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.

End result is that I can generate the token in both normal API & in Developer Portal fine. However, I can still access the API even without providing the Authorization Header.

I wonder if this is expected or I have not given the correct configuration.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,239 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,856 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pramod Valavala 15,136 Reputation points Microsoft Employee

    @San Chea The main section of the doc that you've shared which is required for APIM to validate tokens is the one about the validate-jwt policy. This likely what you are missing or you added it in the wrong scope.

    The rest of the doc covers steps to create the relevant Azure AD artifacts and support OAuth2.0 based logins when testing APIs on the Developer Portal.

    0 comments No comments