Azure API management service fails to authorize a call to web app API - getting 403 Forbidden or 401 Unauthorized
I'm trying to set up an Azure API Management Service with one backend API hosted in an Azure web app. APIM is supposed to authenticate against the Web App with the help of a service principal.
I activated the system assigned managed identity of APIM and of the Web App and adapted the APIM inbound policy:
<inbound>
<authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />
<base />
<set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>
The UID for the authentication-managed-identiy resource I got from the Authentication tab of the Web App as can be seen in the picture.
I also added the managed identity of the APIM as Contributor to the Web App. However, when I test my API in APIM, I get a "403 Forbidden" error.
If I remove the line <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />, I get a "401 Unauthorized" error.
I think this tells me that the authentication is working, but the APIM managed identity has no access rights to the API so the authorization fails.
How I can grant the APIM managed identity the correct access rights to my Web App API?
If I remove access restrictions to the Web App, I get a "200 OK" result, and the correct output, so the API access in general is working.
Follow the steps below to get this to work:
Create a new Application in Microsoft Entra ID or use an existing one. Use the Client ID of the registered app in the policy.
<policy> <inbound> <base /> <authentication-managed-identity resource="{ClientId of the Entra App}" /> <set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" /> </inbound> </policy>Enable System managed Identity in your APIM instance.
Look for the Enterprise Application which got created post-enabling the system managed identity and then copy the Application ID.
Then, configure the Authentication in the Web App as shown below. Paste the Application ID which you copied from step 3 in the allowed client applications field.
By doing as illustrated in the steps above, you should now be able to access the Web Apps in APIM:
- Azure API management service fails to authorize a call to web app API - getting 403 Forbidden or 401 Unauthorized
- kubectl versions Error: exec plugin is configured to use API version client.authentication.k8s.io/v1alpha1
- MongoDB: Understand createUser and db admin
- Blazor Server collocated JavaScript causing crash on Blazor connection timeout due to auth CORS policy
- ASP.NET Core Auth not staying signed in after browser closes (Azure AD B2C)
- Basic User Authentication for Static Site using AWS & S3 Bucket
- How to secure API with EntraID
- PostgreSQL Login Error: "password authentication failed for user 'postgres'"
- Kong Ingress Controller: Failed parsing resource errors, dataplane-synchronizer Could not update kong admin
- What is the correct way to set a cookie expiration when using Azure AD to login users to an ASP.NET Core 5 Web Application?
- Tiktok client key
- how to retrieve the token generated while using django allauth and django-rest-auth with django rest framework
- How to Verify WordPress 6.8 hash using Flask
- $request->getAttribute('fe_user') returns NULL in Typo3 v13
- How to center a component in Material UI and make it responsive?
- on_login function not getting executed in flet auth
- View source code with login (PHP)
- How to add a "Full Name" field to the Auth0 New Universal Login signup page
- How to configure ASP.NET Core 9 Web API so user can send a client secret as a request header when testing endpoints in the swagger documentation
- .NET OIDC token mapping different between id_token and userinfo endpoint
- WebAuthn: Can't create public key. Promise is rejected
- FastAPI authentication injection
- Swift - Sign in with apple always results in 'Sign up not completed' after the facial recognition runs
- How to add authentication for Swift in Xcode environment
- What are the main differences between JWT and OAuth authentication?
- Laravel 419 Page Expired on Hosting but Works Locally
- How can I log in and authenticate to PostgreSQL after a fresh install?
- What is a Pythonic way for Dependency Injection?
- Paypal auth not behaving correctly
- How to add user authentication to specific endpoints in FastAPI?