Search code examples
azureoauth-2.0azure-functionsazure-api-managementazure-security

Azure APIM and Function app Oauth2.0 Azure AD authentication

Micro services are written in Function App and APIM are used as proxy gateways. Authorised and authentication are through Oauth2.0 and azure AD.

  1. Where do tokens propagation stop/end? isn't APIM?
  2. if so, How can API know the roles? is it through HTTP headers or any other protocols?
  3. How to establish a trusted relationship between function API and APIM? Azure app service plan are being used.
  4. Does this design satisfy "zero trust security policy"?
Solution
    1. Where do tokens propagation stop/end? isn’t APIM?

    Yes, usually token propagation ends at the APIM gateway. Clients authenticate with Azure AD to obtain OAuth2.0 tokens, which they include in their requests. APIM validates these tokens before forwarding the request to the backend Azure Function App.

    If you want to cache the token in the APIM, you can add the Cache Policy to the Inbound Policies of an API. For your reference, apim-backend-OAuth2 authentication GitHub article.

    1. if so, How can API know the roles? is it through HTTP headers or any other protocols?

    APIM can extract claims from the token and expose them as headers to the backend API. These headers can include information like user roles or permissions. The backend API can then read these headers to make authorization decisions.

    When you establish the Oauth2 connectivity with APIM on the backend API, it will validate the jwt policy and token for every incoming request and also the roles or permissions given to the application based on scope such as Files.Read, Users.Read with delegated level will be used in client credentials flow.

    I have created the function app as a backend application and APIM to act as a proxy for the backend. Using this MS Article, I have created OAuth2 Authorization and enabled Azure AD in the APIM for APIs.

    enter image description here

    enter image description here

    User credentials are not required to sign in to the developer portal for testing the API because the client secret and ID are added in the request to verify along with the authorization header as OAuth2 and the access token from AD is fetched and verified in the request itself.

    How to establish a trusted relationship between function API and APIM?

    In Azure, this trust is typically established through service-to-service authentication using Azure AD. You configure APIM to authenticate itself to the backend function app using a client ID and secret or certificate. This ensures that only requests coming from the trusted APIM gateway are accepted by the function app.

    Also coming to the Authorization of the API (eg, function app), how the authorization keys are fetched to the APIM and how it validates the user-created auth keys and also proxy enable setting will be done from the backends option as shown below:

    enter image description here

    Does this design satisfy the “zero trust security policy”?

    Here the Azure AD is for authentication and APIM is for API gateway functionalities are every access request is strictly authenticated and authorized. However, you can also add many inbound policies to the APIM APIs to get closer and strengthen security.