Securing your API in API Management using OAuth 2.0

Azure’s API Management allows individual APIs to do a variety of things, one of which is securing an API with built-in authorization servers and JWT token validation.  This tutorial by Microsoft is a great resource for implementing the authorization server and getting your site secured.  However, it lacks one key: validating the Authorization header your sending to your API Management.

Validating the JWT authorization header

Once your authorization server is set up and you’re able to retrieve an access token, you may realize that you can still access your API with just a subscription key.  So what’s the deal?  The final step is to setup a policy rule that checks the JWT you’re sending and rejects the request if the access token is invalid.

Heading over to the policies for your API, this (simple) policy rule will check the bearer token:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="<name or GUID of your Azure directory>/.well-known/openid-configuration" />

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: