Reputation: 55
Implement X-CSRF pattern
I would like to Implement X-CSRF pattern as per the documentation below:
https://learn.microsoft.com/en-us/azure/api-management/policies/get-x-csrf-token-from-sap-gateway
But the above documentation is for SAP Gateway. Is there any documentation where the Gateway is Azure API-Management gateway itself?
Thanks for your answer in advance.
Regards, Chaitanya
Upvotes: 0
Views: 778
Answers (1)
Reputation: 196
I assume you are looking to fetch CSRF token from APIM gateway instead of SAP gateway. The sample policy mentioned above implements X-CSRF token for SAP gateway which uses cookie-based authentication, and the flow is described here. Cookie-based authentication are vulnerable to CSRF attacks, and hence need for X-CSRF pattern.
However, Azure AD is token-based authentication which uses JWT (JSON Web Token) and refer Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core for more info. Also, check SO thread (Difference between CookieAuthentication and WindowsAzureADAuthentication Options) for similar discussion.
So APIM uses JWT token and doesn't support cookie-based authentication and hence you cannot fetch CSRF token from APIM gateway.
Upvotes: 0
Related Questions
- How configure Azure API Management for CORS
- Azure API Management CORS Issue
- How to make Azure API Management (API Gateway) CORS policy dynamic?
- Azure API Management : Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied
- Using azure API management restrict the api call based on the JWT token claim
- API Management Policy - pass x-www-form-urlencoded body
- How to use azure api management to do custom access token check and enrich data in request
- Azure API Management > CORS and POST
- Custom Auth Policy
- Azure API Management doesn't send CORS header on 4xx