Part 3: Configuring JWT token verification flows for Azure Active Directory

The JWT policies of SAP Cloud Platform API Management enables you to generate, verify and decode the JWT token.  In the Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management we have covered the modeling and configuration of JWT verification  policies for various Identity providers like SAP Cloud Platform XS UAA, Okta , Azure Active Directory . In this part of the blog series, we have covered the steps for Configuring the JWT token verification policy for Azure Active Directory.

Pre-requisite

• Part 1: Modeling the JWT token verification flows in SAP Cloud Platform API Management
• OAuth application flows in Azure Active Directory based on your use-case

Read OAuth Issuer and JWKS URI for your Azure Active Directory

• Logon to your Azure Portal and select Azure Active Directory tab

• Select Properties tab, to get your Azure Active Directory tenant Id. Copy and note down the value of the Directory Id. This field will be used in the JWT token verification policy in SAP Cloud Platform API Management.

• To get your JWKS URI and JWT Issuer, query your Azure Active Directory tenant OpenID connect metadata url by replacing the place holder {your_azure_active_directory_id} with the Directory ID copied in the previous step. https://login.microsoftonline.com/{your_azure_active_directory_id}/.well-known/openid-configuration and calling it from a browser.
• From the OpenID connect metadata URL response , copy the value of issuer and jwks_uri fields.

Configure OAuth Issuer and JWKS URI in SAP Cloud Platform API Management

• Navigate to API Portal service of your SAP Cloud Platform API Management.

• Navigate to Develop tab and select the API Proxy to you have modeled the JWT token verification policies. Refer part 1 of this blog series to model the JWT verification policies for your API Proxy.

• From the selected API Proxy details view, click Policies to open Policy Designer.

• Click Edit on the policy designer, to enter edit mode.

• Select the policy readJWKS policy and replace the URL element with the jws_uri element of your OpenID connect metadata URL response.

• Select the policy verifyJWT policy and replace the URL element with the issuer element of your OpenID connect metadata URL response.

• Select Update to persist all the policy changes

• Click Save to persist all the API Proxy changes.

Finally testing the JWT token verification flows

• Set the OAuth application on your Azure Active Directory that you can use for fetching JWT token. Details for setting up OAuth application for Azure Active Directory is covered in here.
• For the testing of this flow, the Client Credentials flow was used, simply because it is easier to test it from a test console like Postman.
• Connect to your Azure Active Directory tenant, register your OAuth Application, enter API permissions, provide your Client secrets. Use this OAuth client id and secret to get access token from Azure Active Directory token endpoint. Details is covered in this documentation.
• Call your API Proxy endpoint passing in your OAuth access received from Azure Active Directory in HTTP header named authorization in the format Bearer {oauth_access_token}.
• In case of successful JWT token validation, the response from your target server would be returned.

• Passing invalid access token or an empty access token will result in error with HTTP status code set to 401.

Refer Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management for more blogs on JWT verification policies.