How to support secure cookie in API management

Question

How to support secure cookie in API management

Kewei Duan 1

Recently, we decided to replace our customised code-based API gateway with the fully managed API management service from Azure. Our auth system is based on our own OIDC 2 service. I understand API management can support OIDC 2 integration as well as JWT validation. However, we previously save the auth token in cookie as well as some session info for API requests session between our API gateway and our React frontend. However, based on the docs I have seen so far, this cookie-based authentication is not supported and I do not see anything about maintaining sessions among multiple API calls.

So the question is, how to support secure cookie, cookie-based authentication or session in API management? Or do we have to rely on some alternative solutions, or API management does not suitable for our scenario? Thanks.

MikeUrnun 9,777 Reputation points Moderator

2022-04-06T23:56:29.22+00:00

Hello, @Kewei Duan - Could you elaborate on cookie-based authentication and the exact kinds of functionalities you're looking for? Not sure if this helps but the following expression, for example, retrieves Cookie value from the inbound request: @(context.Request.Headers.GetValueOrDefault("Cookie")) and you can maybe use it as part of your custom authentication logic in conjunction with OAuth flow & JWT validation? Or perhaps, you can maybe explore APIM caching features for session-related requirements?
Kewei Duan 1 Reputation point

2022-04-14T08:06:35.593+00:00

Hi Mike, thanks for your reply.

Sure, our auth process uses OIDC 2, which will generate a token for the following access after authentication. In our Front End + Back End service architecture, BE will get this token from an OIDC 2 service through its standard flow and save the token in the secure cookie and send it back to the client (browser-based FE) in response. So in all the following calls in this active session, the token will be transferred back and forth in the cookie in all the requests to the BE, and BE will use the token saved in the cookie for requests to other dependent APIs. There is an article talking about the difference between cookie vs token authentication: https://www.section.io/engineering-education/cookie-vs-token-authentication/. (API management supports token authentication clearly). The reason that we choose cookie-based authentication is that 1) we do not want to save tokens in the browser/client; 2) the service is not stateless, we need to have session related info (which includes the token) in the secure cookie anyway.

Based on your reply, I am thinking perhaps I can save the token value together with all the other session info in a cache, and save the key of the cache in the cookie, then I can customise this process. However, there will be the following things that need to explore about how to implement them in API management, such as CSRF and CORS (is there any example?).

Do you have any further suggestions about how to implement it? Thanks.

1 answer

Your answer

MikeUrnun 9,777 Reputation points Moderator

2022-04-06T23:56:29.22+00:00

Hello, @Kewei Duan - Could you elaborate on cookie-based authentication and the exact kinds of functionalities you're looking for? Not sure if this helps but the following expression, for example, retrieves Cookie value from the inbound request: @(context.Request.Headers.GetValueOrDefault("Cookie")) and you can maybe use it as part of your custom authentication logic in conjunction with OAuth flow & JWT validation? Or perhaps, you can maybe explore APIM caching features for session-related requirements?
Kewei Duan 1 Reputation point

2022-04-14T08:06:35.593+00:00

Hi Mike, thanks for your reply.

Sure, our auth process uses OIDC 2, which will generate a token for the following access after authentication. In our Front End + Back End service architecture, BE will get this token from an OIDC 2 service through its standard flow and save the token in the secure cookie and send it back to the client (browser-based FE) in response. So in all the following calls in this active session, the token will be transferred back and forth in the cookie in all the requests to the BE, and BE will use the token saved in the cookie for requests to other dependent APIs. There is an article talking about the difference between cookie vs token authentication: https://www.section.io/engineering-education/cookie-vs-token-authentication/. (API management supports token authentication clearly). The reason that we choose cookie-based authentication is that 1) we do not want to save tokens in the browser/client; 2) the service is not stateless, we need to have session related info (which includes the token) in the secure cookie anyway.

Based on your reply, I am thinking perhaps I can save the token value together with all the other session info in a cache, and save the key of the cache in the cookie, then I can customise this process. However, there will be the following things that need to explore about how to implement them in API management, such as CSRF and CORS (is there any example?).

Do you have any further suggestions about how to implement it? Thanks.

Answer 1

This is more than a year old but I was looking for something like this so I'll share what I found hoping it saves people some time.

Basically, Mike is right, but the key to making it work without friction is a handy attribute in the validate-jwt policy.

You have three options to configure the source of the the token:

header-name
query-parameter
token-value (bingo)

As explained in the documentation, you can define an "expression returning the token as a string". This basically allows you to get the token from anywhere in your context.

Cookies can be a bit tricky to read, so you can do something like this to save it as a variable:

https://stackoverflow.com/a/74036568/8835587

As a bonus, if working with AD B2C you can use this policy instead, which also supports token-value:
https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy

Share via

How to support secure cookie in API management

1 answer

Your answer