question

SanChea-9770 avatar image
0 Votes"
SanChea-9770 asked PramodValavala-MSFT answered

Enabled OAuth2 in API Management but still can access the API without providing Authorization header

Hi everyone, I am working on protecting API in APIM by using OAuth2 with AAD following this official doc, https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.

End result is that I can generate the token in both normal API & in Developer Portal fine. However, I can still access the API even without providing the Authorization Header.

I wonder if this is expected or I have not given the correct configuration.

azure-active-directoryazure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered

@SanChea-9770 The main section of the doc that you've shared which is required for APIM to validate tokens is the one about the validate-jwt policy. This likely what you are missing or you added it in the wrong scope.

The rest of the doc covers steps to create the relevant Azure AD artifacts and support OAuth2.0 based logins when testing APIs on the Developer Portal.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.