Azure REST api security

Question

I am searching for feature like AAD User wise roles/policies for specific APIs in API Management Service.

AWS is offering rule based access control. For example, we can assign specific api (of API Gateway) access to specific IAM user using Role/Policies.

Does Azure is offering service like this ? For example, i have added 20 api's (5 GET + 5 POST + 5 PUT + 5 DELETE) in Azure API management service. Can i assign specific method (ex. GET) api access to specific user?

andresm53 · Accepted Answer

One option to achieve this (without code, just configuration) is to use Azure Active Directory (AAD) Application Roles.

First, you need to create an AAD application representing your Web API. Go to AAD > App Registrations and register there a Web App / Web API. Then edit its manifest to add a role, i.e.:

  "appRoles": [
    {
      "allowedMemberTypes": [
        "Application",
        "User"
      ],
      "displayName": "Allow HTTP GET",
      "id": "9cc5ee71-3d7d-4060-8b7f-e734f3917e71",
      "isEnabled": true,
      "description": "Allow HTTP GET requests",
      "value": "AllowGET"
    }
  ],

You can add different roles for the different methods your API has.

Then go to AAD > Enterprise Applications, find the application you just created, and:

In Properties, select "User assignment required" > Yes
In Users and Groups, add the users you want to allow access to the role you created before ("Allow HTTP Get").

Now go to the API Management service > APIs > find your API / Method and edit Inbound processing. Under Code View, add a ValidateJWT policy to validate the AAD tokens (make sure to configure your AAD tenant name and to configure the audience GUID which is the application ID of your Web API (the one that you registered in AAD at the beginning):


    
    
        53a81160-e4c9-40ba-aeef-6bb99ad6b4b3
    
    
        
            AllowGET

Notice that under required-claims is the role claim (AllowGET) you configured before, in the application manifest.

Now you can test. If you want to test through the APIM Developer Console you should follow the instructions here Protect an API by using OAuth 2.0 with Azure Active Directory and API Management.

Or you can also test by just using a simple PowerShell script like the below. If you use this script, first you need to register another AAD application, this time representing the script (a "native client"). Go to AAD > App Registrations and register a Native Client. Under Settings > Permissions, add a delegated permission so this application can call the Web API:

PowerShell script: (review the code and make sure to replace the parameters and the URL of your API, and to add the path to the ADAL library "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" which is used to simplify the token adquisition)

add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$clientId = "NATIVE APPLICATION AAD AAP ID"
$redirectUri = "http://NATIVE APPLICATION AAD REDIRECT URI"
$resourceAppIdURI = "WEB API APP ID"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$promptBehavior=new-object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters([Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always)
$userId = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier]::AnyUser
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $promptBehavior, $userId, $extraQueryParameters)
$authHeader = @{
'Accept'='application/json'
'Content-Type'='application/json'
'Authorization'=$authResult.result.CreateAuthorizationHeader()
'Ocp-Apim-Subscription-Key'='APIM SUBSCRIPTION KEY'
'Ocp-Apim-Trace'='true'
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Uri "https://yourapimanager.azure-api.net/posts" -Headers $authHeader -Method Get -Verbose

Azure REST api security

Answers (1)

Related Questions