0

I have to implement OAuth 2.0 in my project with a third party Authorization Server. Both my client and server are already registered on the AS. I have created an API management instance on Azure and imported the swagger APIs. I want every incoming request to be validated against my AS, so I just need to redirect the request to https://my-as.com/as/introspect.oauth2, and have the token validated. If the token is valid then let it proceed or else send 401. I was trying to implement this using "inbound processing" and referred to the following doc: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests.

The only problem is that instead of Azure AD I'm using a third party AS. I tried replacing the URL in sample XML code with my URL, but its not working.

How do I redirect requests to the Authorization Server for validating access token?

rishav
  • 441
  • 9
  • 27
  • Hi....May I know, what the issue you are facing ? Appreciate your specific error message or concern – Inzi Feb 11 '19 at 05:13
  • What configuration should I add on my Azure APi management instance to validate the access token with a third party Authorization Server (https://my-as.com/as/introspect.oauth2)? PS - I'm trying to implement Authorization code grant OAuth here. – rishav Feb 11 '19 at 05:27
  • 2
    Just check this link.... I have done this scenario with ADFS and AAD. But not with thord party servers. https://auth0.com/docs/integrations/azure-api-management/configure-azure – Inzi Feb 11 '19 at 05:38
  • I've already followed the steps mentioned in the doc. Currently in the developer portal, I'm able to get the token from the AS and send it as header(as mentioned in the doc), but what if my API gateway is hit directly with/without the token? My objective is to do a pre-processing of each request for valid token(by asking the AS whether the token is valid or not) before sending it to the imported APIs. – rishav Feb 11 '19 at 06:22
  • I simply want to modify this step by substituting Azure AD with a third party AS - https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests – rishav Feb 11 '19 at 06:24
  • yes. I can understand. When you apply the policy like you mentioned, Are you getting any error or you couldn't achieve the scenario on run time ? – Inzi Feb 11 '19 at 08:16
  • I've written a policy for that but not able to test now due to some blocker. I need one last info that what should be the value of the Authorization header? Should it be Basic Authentication of Client Id and key? Refer - https://stackoverflow.com/a/28048217/4395295 – rishav Feb 11 '19 at 10:37

1 Answers1

5

Adding following inbound policy worked:

<inbound>
        <!-- Extract Token from Authorization header parameter -->
        <set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
        <!-- Send request to Token Server to validate token (see RFC 7662) -->
        <send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
            <set-url>https://my-as.com/as/introspect.oauth2</set-url>
            <set-method>POST</set-method>
            <set-header name="Content-Type" exists-action="override">
                <value>application/x-www-form-urlencoded</value>
            </set-header>
            <set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UoM&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
        </send-request>
        <choose>
            <!-- Check active property in response -->
            <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
                <!-- Return 401 Unauthorized with http-problem payload -->
                <return-response response-variable-name="existing response variable">
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="invalid_token"</value>
                    </set-header>
                </return-response>
            </when>
        </choose>
        <base />
    </inbound>
rishav
  • 441
  • 9
  • 27
  • 1
    Thank you so much! I was following the Microsoft AD path and really struggling to find an example of an external idp. This helped me – Shad Aug 20 '20 at 13:31