Site icon 지락문화예술공작단

Secure API Access with NGINX and Azure Active Directory

Secure API Access with NGINX and Azure Active Directory

APIs play a critical role in application connectivity, but they are also vulnerable to attacks. In the past, with monolithic apps, there was only one entry point to secure. In microservices architectures, a single app often consists of many microservices connected via APIs, and each of those APIs could have hundreds of endpoints. This makes the potential attack surface for APIs huge, with every new API creating an entry point in your security perimeter.

There are many strategies to secure your APIs. One of the most fundamental is access control. Simply put, you must verify the user’s identity (authentication, or AuthN) and confirm that they can access certain resources (authorization, or AuthZ). Implementing OpenID Connect (OIDC) is one of the most common access control approaches used for APIs. You can get it up and running in minutes with API Connectivity Manager, part of F5 NGINX Management Suite.

In this tutorial, you’ll learn how to perform the authorization portion of the OIDC workflow by setting up JSON Web Token (JWT) validation with API Connectivity Manager and Azure Active Directory (Azure AD).

What is OpenID Connect?

OpenID Connect (OIDC) is an identity protocol built on top of the OAuth 2.0 protocol. OIDC allows clients to verify the identity of the end user or device. This is one part of access control, which includes both authentication and authorization:

There are many different implementations of OIDC, including Azure AD, which you’ll use in this tutorial. Alternatively, you can use other OIDC solutions – such as F5 BIG-IP Access Policy Manager (APM), Okta, Auth0, Ping Identity, and more – with API Connectivity Manager.

What You Need to Get Started

Make sure you have the following perquisites:

You can sign up for your 30-day free trial of NGINX Management Suite if you need access to API Connectivity Manager.

Create an Azure AD Application

Open a browser and log in to your Azure Portal.

Click on App registrations in the left-hand menu.

Figure 1: Azure AD Portal Home Page

Click on the New registration button.

Figure 2: Azure AD App Registration

To create a new application, supply a name, redirect URI and click the Register button. In this demo, you will leverage Postman, so you will use the Postman OIDC redirect URI.

Figure 3: Create a New Azure AD App

Now that your app is created, you need to create OAuth scopes to provide access to the API. Click on the Expose an API link in the left-hand menu.

Figure 4: Expose an API

Click Add a scope.

Figure 5: Add a Scope

Accept the default Application ID URI or create your own and click the Saveand continue button. If you want to create your own Application ID URI, you must register your desired domain with Azure AD.

Figure 6: Application ID URL

For this demo, your scope is based on a Microsoft example. Fill out the form with the following information then click the Add scope button:

Scope name: Employees.Read.All
Who can content?: Admins and users
Admin consent display name: Read-only access to Employee records
Admin consent description: Allow read-only access to all Employee data.
User consent display name: Read-only access to your Employee records
User consent description: Allow read-only access to your Employee data.

Figure 7: Add a Scope

Next, you need to authorize the client application. To do this, grab the Client ID. Click the Overview link in the left-hand menu and copy the Application (client) ID.

Figure 8: Application Client ID

Click on the Expose an API link again, then click the Add a client application button.

Figure 9: Add a Client Application

Paste the Application Client ID in the Client ID field and select the checkbox next to your Application ID URI. Then, click the Add application button.

Figure 10: Add a Client Application

Next, for this demo, you will leverage an authorization code with PKCE OAuth grant type, so a client secret will be needed for Postman. Click on the Certificates & secrets link in the left-hand menu, then click the New client secret button.

Figure 11: New Client Secret

Name your secret and leave the default expiration time.

Figure 12: Secret Name

Next, copy your client secret and store it in a password vault so you can use it later.

Figure 13: Client Secret

Configure JWT Assertion in API Connectivity Manager

Now that you have your Azure AD application configured, you can set up the API gateway cluster in API Connectivity Manager to perform JSON Web Token Assertion for your defined service. For this step, you’ll need to determine the URI for your Azure AD tenant’s JSON Web Key (JWK) Sets.

You can obtain your JWKS URI from the Azure AD tenant’s well-known endpoint:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

This page will provide a JSON payload that contains the jwks_uri key. You will need to copy its value.

Figure 14: Azure AD Tenant Well-Known Endpoint

Now that you have your JWKS URI, open your API Connectivity Manager console and navigate to your service proxy’s configuration. Click Add Policy for the JSON Web Token Assertion policy.

Figure 15: Gateway Service Proxy Policies

Next, paste your Azure AD Tenant’s JKWS URI in the URI Location field , then click the Add button.

Figure 16: JSON Web Token Assertion Policy

Click the Save & Publish button to push this policy out to your API gateway cluster.

Figure 17: Service Gateway Policy

That’s it! Your API Connectivity Manager instance is now configured to perform JWT Assertion on the configured service gateway.

Testing with Postman

Now, it’s time to test your setup and ensure it behaves as expected. To get started, there are a few things you will need to get from your Azure AD Application:

To get the OAuth scope, open your Azure portal and navigate back to your app registration page. Next, click on the Expose an API link in the left-hand menu and click the Copy symbol for your scope. Save this value so you can use it in a few minutes.

Figure 18: API Scopes

To obtain the OAuth authorization and token endpoints, click the Overview link in the left-hand menu and then click the Endpoints button. After that, copy the authorization and token endpoint URIs.

Figure 19: Azure AD Application Endpoints

Figure 20: Azure AD Application Endpoint URLs

Open Postman and click on the Environments menu. Then, click the Create Environment link.

Figure 21: Postman Create Environment

Name your environment and add six variables with the values (saved from previous steps) into the Initial Value column and the Current Value column, then click the Save button.

Figure 22: Postman Environment Variables

Open a new tab in Postman and follow these steps:

Figure 23: Postman Request

Figure 24: Postman Auth Configuration

A browser window will open, and you will be prompted to log in with your Azure AD credentials. Once you have successfully authenticated, you will be redirected back to Postman, and the following window will appear. Click the Use Token button.

Figure 25: Postman Use Token

Now that you have your OAuth access token, you can finally make your API call. Click the Save button and then click the Send button.

If everything is configured correctly, you should see a 200 OK response.

Figure 26: Postman Successful Request

Conclusion

You now have API Connectivity Manager protecting your APIs using Azure AD OAuth Access tokens. The next steps would be to add additional OAuth scopes and configure the API gateway cluster in API Connectivity Manager to pass those scopes to your protected APIs – but that’s a topic for another post!

Get Started Today

Start a 30-day free trial of NGINX Management Suite, which includes API Connectivity Manager and Instance Manager.

A version of this post first appeared on codygreen.com. It is edited and reprinted here with permission from the author.

The post Secure API Access with NGINX and Azure Active Directory appeared first on NGINX.

Source: Secure API Access with NGINX and Azure Active Directory

Exit mobile version