I have few APIs Azure API Management. I need Azure to check valid Subscription but at the same time I need some header values for Authorization and Authentication. Now client comes with a requirements that OAuth 2.0 must be there. Now we have 1 header for subscription key (Ocp-Apim-Subscription-Key), 2 headers required by me (like LocationCode, ApplicationKey) and 1 header for Authorization (Bearer token from AD).
I need a solution that there would be only 1 header and all these must be derived from that. Any one have any suggestion how to achieve it ?
What I have tried till now is I have generate a JWT from my code and added Subscription Key, and other headers into it but I am not able to pass subscription key. I am not expert at Policy editing but if someone can help then it may be achievable..
Can we add some custom headers into the OAuth access token which can be generated from Azure AD with App Registration ?
Thanks in advance!!
You could include LocationCode and ApplicationKey as custom claims in your JWT (refer this SO post that covers the steps nicely).
But the subscription key must be either in the header or query string for APIM to consider it. So, you could bring this down to two headers from four with this approach.
One way you could bring this down to one is to have the SubscriptionKey as a claim as well but have a proxy (could be another APIM operation too) that would extract the key from the claim and then call the actual API that requires it. But considering the subscription key is a secret, this would not be advisable.