- Azure API Management Policies and Custom Authentication Flows – Part 1: Fundamentals
- Azure API Management Policies and Custom Authentication Flows – Part 2: Authentication & Authorization Deep Dive
- Azure API Management Policies and Custom Authentication Flows – Part 3: Custom Authentication Implementation
- Azure API Management Policies and Custom Authentication Flows – Part 4: Advanced Scenarios & Best Practices
Azure API Management Policies and Custom Authentication Flows
Part 2: Authentication & Authorization Policies Deep Dive
Authentication and authorization are the cornerstones of API security. Azure API Management provides powerful built-in policies for JWT validation, OAuth 2.0 integration, certificate-based authentication, and API key management.
JWT Token Validation
<!-- Basic JWT validation with Azure AD -->
<validate-jwt header-name="Authorization" failed-validation-httpcode="401">
<openid-config url="https://login.microsoftonline.com/{tenant-id}/.well-known/openid_configuration" />
<required-claims>
<claim name="aud">
<value>api://your-api-client-id</value>
</claim>
</required-claims>
</validate-jwt>OAuth 2.0 Integration
<!-- OAuth 2.0 token introspection -->
<inbound>
<send-request mode="new" response-variable-name="tokenValidation" timeout="10">
<set-url>https://oauth.provider.com/token/introspect</set-url>
<set-method>POST</set-method>
<set-body>@($"token={context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ", "")}")
</send-request>
<choose>
<when condition="@(((IResponse)context.Variables["tokenValidation"]).StatusCode != 200)">
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-body>{"error": "invalid_token"}</set-body>
</return-response>
</when>
</choose>
</inbound>Certificate-Based Authentication
<!-- Client certificate validation -->
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-body>{"error": "client_certificate_required"}</set-body>
</return-response>
</when>
</choose>
</inbound>Role-Based Access Control
<!-- RBAC implementation -->
<inbound>
<set-variable name="requiredRole" value="@{
string path = context.Request.Url.Path.ToLower();
if (path.Contains("/admin/")) return "admin";
if (context.Request.Method == "POST") return "editor";
return "user";
}" />
<choose>
<when condition="@{
// Extract and validate user role from JWT
var requiredRole = (string)context.Variables["requiredRole"];
// Implementation depends on your token structure
return false; // Placeholder for role validation logic
}">
<return-response>
<set-status code="403" reason="Forbidden" />
<set-body>{"error": "insufficient_privileges"}</set-body>
</return-response>
</when>
</choose>
</inbound>Coming Up Next
In Part 3, we’ll implement custom authentication flows with practical examples of multi-step authentication and external identity provider integration.
Authentication policies provide the foundation for secure API access. Master these patterns to build robust, scalable authentication systems.
