Hi All
I'm trying to set an App Service in Azure that is secured by AAD with requests coming in via API Management authenticated using managed identities.
The steps I've taken are:
- Enabled AAD authentication on the App Service and confirmed that there is an Application created in the AAD tenant
- Enabled Identity on the Api Management
- Set the policy on the API to:
<!--
IMPORTANT:
- Policy elements can appear only within the <inbound>, <outbound>, <backend> section elements.
- To apply a policy to the incoming request (before it is forwarded to the backend service), place a corresponding policy element within the <inbound> section element.
- To apply a policy to the outgoing response (before it is sent back to the caller), place a corresponding policy element within the <outbound> section element.
- To add a policy, place the cursor at the desired insertion point and select a policy from the sidebar.
- To remove a policy, delete the corresponding policy statement from the policy document.
- Position the <base> element within a section element to inherit all policies from the corresponding section element in the enclosing scope.
- Remove the <base> element to prevent inheriting policies from the corresponding section element in the enclosing scope.
- Policies are applied in the order of their appearance, from the top down.
- Comments within policy elements are not supported and may disappear. Place your comments between policy elements or at a higher level scope.
--><policies><inbound><base /><authentication-managed-identity resource="<AAD Application Client ID>" output-token-variable-name="odata-access-token" ignore-error="true" /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>When I try and access the API endpoint from a browser I'm redirected to login.microsoftonline.com
When I test in the Azure Portal I receive this in the trace:
Inbound:
authentication-managed-identity (0.282 ms)
{"message": "Obtaining managed identity token using clientId:<AAD Application Client ID> AAD Authority:https://login.windows.net/de4c6f6b-3c35-40d2-bd1c-b877efef53ff for <AAD Application Client ID> audience succeeded.","errorResponse": null
}
authentication-managed-identity (0.002 ms)
{
"message": "Managed identity token is added to odata-access-token context variable."
}Backend:
forward-request (0.063 ms)
{"message": "Request is being forwarded to the backend service. Timeout set to 300 seconds","request": {"method": "GET","url": "https://XXXXXX.azurewebsites.net/api/Test","headers": [
{"name": "Host","value": "XXXXXX.azurewebsites.net"
},
{"name": "Ocp-Apim-Subscription-Key","value": "07360a5179c441f993be11a0d12b2ab5"
},
{"name": "X-Forwarded-For","value": "195.188.200.6,13.91.254.72"
},
{"name": "Cache-Control","value": "no-cache, no-store"
},
{"name": "Accept","value": "*/*"
},
{"name": "Accept-Encoding","value": "gzip,deflate,br"
},
{"name": "Accept-Language","value": "en-GB,en;q=0.5"
},
{"name": "Referer","value": "https://apimanagement.hosting.portal.azure.net/apimanagement/Content/1.0.552.0/apimap//apimap-apis/index.html?clientOptimizations=undefined&l=en.en-gb&trustedAuthority=https%3A%2F%2Fportal.azure.com&shellVersion=undefined"
}
]
}
}
forward-request (17.281 ms)
{
"response": {"status": {"code": 401,"reason": "Unauthorized"
},"headers": [
{"name": "Content-Length","value": "58"
},
{"name": "Content-Type","value": "text/html"
},
{"name": "Date","value": "Thu, 06 Jun 2019 11:30:39 GMT"
},
{"name": "Set-Cookie","value": "ARRAffinity=c80e77c9a08c7ed8b1dba34c66e0a3b362bae00668e6c757e3268f529022cd39;Path=/;HttpOnly;Domain=kk-odata-test.azurewebsites.net"
},
{"name": "WWW-Authenticate","value": "Bearer realm=\"kk-odata-test.azurewebsites.net\" authorization_uri=\"https://login.windows.net/de4c6f6b-3c35-40d2-bd1c-b877efef53ff/oauth2/authorize\" resource_id=\"db7448fe-ad35-49e6-a806-5440b00282b1\""
},
{"name": "X-Powered-By","value": "ASP.NET"
}
]
}
}If anyone could help me figure out what I've missed I'd be most grateful
Thanks in advance
Mark