1

I have a single ASP.NET MVC app - website and API controllers. I'd like to use Azure API Management to manage these APIs but retain the same URL so that it is seamless for our consumers. We have a custom domain setup on the app service for this web app that is currently used to serve up both the site and APIs(e.g. Website: xyz.com, APIs: xyz.com/api1, xyz.com/api2, etc.). Also we use AAD for auth. and have the redirect URI setup to the custom domain(xyz.com). Everything works great at present.

The issue arises after we configure API Management to expose our APIs and potentially use it as a passthrough. In order to ensure that the URLs remain the same after API Management is introduced we set the custom domain to be on the API Management instance itself and removed it from the app. service. This is how our current setup looks -->

User hits xyz.com and the request proceeds as follows -> Traffic Manager -> APIM(xyz.com) -> App Service(xxx.azurewebsites.net)

After that last point above, AAD auth. should kick in and once it has the access token after successful auth. it should redirect the user and the page should load. But it doesn't. Instead we get a blank page and if we refresh it, then and only then does it proceed to auth. and load the page.

We have tried setting our redirect URI to both the custom domain(xyz.com) as well as the base app service name that Azure generated(xxx.azurewebsites.net).

Directly hitting the API urls specifically(e.g. xyz.com/api1) works fine. It goes through APIM and responds as expected. The only problem is that the website doesn't load as outlined above.

The moment we take APIM out of the equation, and set the custom domain back on the app service again, everything works as expected.

I'm trying to figure out if we've misconfigured our assets for this scenario somehow or if APIM doesn't support pass through for the website in this manner. Any thoughts/suggestions here would be much appreciated!

Cranialsurge
  • 11
  • 1

1 Answers1

1

Wow, that was a lot of text. Ok, let's see:

Visitors -> Traffic manager -> APIM -> backend (your website) - ok got it.

this is like a common way of using APIM, and it should work. However, maybe your policies are not set up correctly?

Have you built your product/API/Operations? Do you see requests coming from APIM hitting your site? What responses are you getting?

Now, of course, you will need to define and set up APIM (products, APIs, and every operation) to pass it throw to your backend. This means if you (as a visitor) need to list all products, you would need to go through the APIM operation (sed GetProducts ). Your request will be passed through the Inbound policy(adjust and build the request if needed), pass it to the backend( to your website with custom APIs), and the response will be sent back from the backend back to the visitor.

Now to this: to protect your Web API Backend in APIM, you could use OAuth 2.0 authorization with Azure AD: big picture overview:

  1. Register an application (for your backend) in Azure AD to represent the API
  2. Register another Application (the client) in Azure AD to represent a client app that will call your API
  3. And I guess this is the one for you grant permissions to allow the client app to call the backend app
  4. And, of course, add the validate-jwt policy to validate the OAuth token for every incoming request

Read om on this here https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

Dharman
  • 30,962
  • 25
  • 85
  • 135
photowalker
  • 353
  • 1
  • 8