WSO2 Apim validate JWT token

Question

I have a SPA (angular) application that connects users with Azure AD B2C. The application then obtains a JWT. The application (SPA) must then consume APIs behind WSO2 APIM. I want to have the JWT validated by Wso2 APIM.

SPA --> AZUREADB2C
SPA <-- AZUREADB2C (JWT)
SPA --> APIM (Validate JWT) --> Backend API

Should I create a custom key manager in APIM? or is there another setting?

Answer 1

WSO2 API Manager provides two ways to cater this requirement.

If you want to validate the token directly generated from Azure AD

It needs to be configured as key manager from Admin portal. WSO2 API Manager does not have out of the box support to configure Azure AD as key manager. (It supports WSO2 IS, KeyCloak, PingFederate, Okta and Auth0 OOTB).

You can write custom key manager implementation and deploy it in API Manager to cater this requirement. The steps to write custom key manager is explained here.

User authentication with token exchange approach

WSO2 API Manager supports OAuth 2.0 Token Exchange grant type (From APIM 4.1.0 onwards) to exchange JWT tokens generated by external Authorization servers for APIM token.

For this, you need to add Azure AD as a Key Manager as mentioned in this doc and exchange the JWT token generated from Azure AD for APIM token. This method requires some modification in the SPA.

Answer 2

You should be able to use the JWT Bearer Grant[1] for this purpose.

Basically, you will have to add Azure AD as an IdP in APIM and configure a service provider. Then you can obtain a token from APIM after validating your JWT and use that to access the APIs.

[1] - https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/jwt-grant/#jwt-grant