Reputation: 345
How to secure an API in Azure API Management to then access via Angular (adal-angular5)?
Background
I have created a test API within Azure-API-Mangement. I am able to get data from the API as long as I supply the "subscription-key". I am unaware of how to set up security to link in with Azure AD.
I am creating a SPA in Angular, and am using adal-angular5. I have followed this excellent guide on SpikesApps , however am using adal-angular5 instead of adal-angular4. I am able to get the 1296 character token of the logged in user. See screenshot below:
The SpikesApps guide linked above is connecting to an API that was created as an Azure WebApp, not part of Azure-API-Management. The guide uses the user token and submits it as a header in the HTTP get. (Authorization: Bearer [user 1296 char token]).
My limited knowledge of Azure tells me that setting up security for an Azure WebbApp API is different to an API within Azure-API-Management.
The difference of my situation to SpikesApps guide (and hence why I'm stuck), is that I want to securely connect to an API which is part of the Azure-API-Management.
My questions:
Is it possible to secure an API within Azure-API-Management such that my Angular SPA can access it by supplying the
Authorization: Bearer <user 1296 char token>header? (I.e. as per the API accessed within SpikesApps guide).If not, what are my options?
I've read a little bit about "validate-jwt" policies for APIs in Azure-API-Management. If this is the only method, how do I obtain a JWT? I assume the JWT is NOT the same as the 1296 char user token I already have?
Screenshots
(Showing user info obtained by adal-angular5 within my Angular SPA)
(Example of how adal-angular5 adds the Authorization header to the get request.https://www.npmjs.com/package/adal-angular5)
Upvotes: 3
Views: 2329
Answers (1)
Reputation: 345
Have figured out the solution, literally an hour after posting the above question (Prior to that I wasted many hours!).
Needed to add the validate-jwt to the API's Inbound policy.
I did it by following (some of) the instructions on this page: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests
Really only needed to do the following:
- Create an "App registration" within Azure AD to associate with the API within APIM. Let's call it backend-app
- Within API Management, modify the policy of the Inbound component of the API in question, adding the code as per screenshot below
- When making the GET request, header needs to include:
<Authorization: Bearer {USER_TOKEN}>(as per the guide in the original question above) - Don't forget to include the Subscription-Key in the GET request.
Upvotes: 5
Related Questions
- Angular single page application to access multiple protected Web API through Azure Active Directory
- Authentication & Authorization with Azure AD for Angular - API application
- Calling an Azure AD secured Web API from Angular
- Securing Angular & .Net Core API with Azure AD and Application Roles
- Calling an Azure AD secured Web API from Angular Frontend
- Securing API in Angular 2.x apps
- Managing access from a Console App to a Web API on Azure
- Consume Secure Azure API from SharePoint online
- Securing Azure API
- Get AngularJS to talk to .NET Web API secured with Azure AD