Secure your API with Entra ID

This how-to guides you through the steps required to secure your API using Entra ID:

1. Grant access to your consumers
2. Validate tokens in requests from consumers

Use webproxy for outbound network connectivity from on-premises environments

If you're on-premises, you must enable and use webproxy to access Entra ID.

Grant access to consumers

Depending on who your consumers are, you must grant access to either applications, users, or both.

Applications

By default, no applications have access to your API. You must explicitly grant access to consumer applications.

app.yaml

spec:
  accessPolicy:
    inbound:
      rules:
        - application: app-a

        - application: app-b
          namespace: other-namespace

        - application: app-c
          namespace: other-namespace
          cluster: other-cluster

The above configuration authorizes the following applications:

• application app-a running in the same namespace and same cluster as your application
• application app-b running in the namespace other-namespace in the same cluster
• application app-c running in the namespace other-namespace in the cluster other-cluster

Users

By default, no users have access to your application. You must explicitly grant access to either specific groups, all users, or both.

Groups

The following configuration only grants users that are direct members of the specified groups access to your application:

app.yaml

spec:
  azure:
    application:
      enabled: true
      allowAllUsers: false
      claims:
        groups:
          - id: "<group identifier>"

Warning

Invalid group identifiers are skipped and will not be granted access to your application. Ensure that they are correct and exist in Entra ID.

All users

The following configuration grants all users access your application:

app.yaml

spec:
  azure:
    application:
      enabled: true
      allowAllUsers: true

Now that you have granted access to your consumers, they can now acquire tokens that target your application, either:

• on behalf of an employee, or
• as an application

You will need to validate these tokens in your application.

Validate tokens

Recommended JavaScript Library

See https://github.com/navikt/oasis that helps with token validation and exchange in JavaScript applications.

To validate the token, start by validating the signature and standard time-related claims. Additionally, perform the following validations:

Issuer Validation

Validate that the iss claim has a value that is equal to either:

1. the AZURE_OPENID_CONFIG_ISSUER environment variable, or
2. the issuer property from the metadata discovery document. The document is found at the endpoint pointed to by the AZURE_APP_WELL_KNOWN_URL environment variable.

Audience Validation

Validate that the aud claim is equal to the AZURE_APP_CLIENT_ID environment variable.

Signature Validation

Validate that the token is signed with a public key published at the JWKS endpoint. This endpoint URI can be found in one of two ways:

1. the AZURE_OPENID_CONFIG_JWKS_URI environment variable, or
2. the jwks_uri property from the metadata discovery document. The document is found at the endpoint pointed to by the AZURE_APP_WELL_KNOWN_URL environment variable.

Claims Validation

Other claims may be present in the token. Validation of these claims is optional.