oauth-2.0jwtazure-api-managementapim

Apim policy to validat token for b2b and as well as b2c tenant token endpoints

Is it valid to add multiple validate-jwt policies for b2b and b2c endpoints in azure api management service for a single api ?

# b2c endpoint
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/b2c_1_signin/v2.0/.well-known/openid-configuration" />
    <audiences>
        ...
</validate-jwt>

# b2b endpoint
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration" />
    <audiences>
        ...
</validate-jwt>
Solution

  • Yes, you can add multiple validate-jwt policies in a single API but you need to keep each validate-jwt in <choose> block under certain conditions like b2c and b2b.

    If you are adding them directly as you have shared, then it will compare the token with both the endpoints and will give you 401 error as one of them will never match.

    enter image description here enter image description here

    enter image description here

    So, it is recommended to keep it in <choose> block.

    You can give any condition you want in <when> to filter between b2b and b2c. So, the token in incoming request's header will compare with the correct endpoint.

    <policies>
    <inbound>
        <base />
        <choose>
            <!-- B2C Endpoint -->
            <when condition="@(context.Request.OriginalUrl.Contains('/b2c'))">
                <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
                    <openid-config url="https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/b2c_1_signin/v2.0/.well-known/openid-configuration" />
                    <audiences>
                        <audience>Your_B2C_Client_ID</audience>
                    </audiences>
                </validate-jwt>
            </when>
            <!-- B2B Endpoint -->
            <when condition="@(context.Request.OriginalUrl.Contains('/b2b'))">
                <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
                    <openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration" />
                    <audiences>
                        <audience>Your_B2B_Client_ID</audience>
                    </audiences>
                </validate-jwt>
            </when>
        </choose>
    </inbound>
</policies>