Secure your API with Entra ID¶
This how-to guides you through the steps required to secure your API using Entra ID:
Use webproxy for outbound network connectivity from on-premises environments
If you're on-premises, you must enable and use webproxy to access Entra ID.
Grant access to consumers¶
Depending on who your consumers are, you must grant access to either applications, users, or both.
Applications¶
By default, no applications have access to your API. You must explicitly grant access to consumer applications.
spec:
accessPolicy:
inbound:
rules:
- application: app-a
- application: app-b
namespace: other-namespace
- application: app-c
namespace: other-namespace
cluster: other-cluster
The above configuration authorizes the following applications:
- application
app-arunning in the same namespace and same cluster as your application - application
app-brunning in the namespaceother-namespacein the same cluster - application
app-crunning in the namespaceother-namespacein the clusterother-cluster
Users¶
By default, no users have access to your application. You must explicitly grant access to either specific groups, all users, or both.
Groups¶
The following configuration only grants users that are direct members of the specified groups access to your application:
spec:
azure:
application:
enabled: true
allowAllUsers: false
claims:
groups:
- id: "<group identifier>"
where each group is specified by their unique identifier.
To find your group's identifier, see finding the group identifier.
Warning
Invalid group identifiers are skipped and will not be granted access to your application. Ensure that they are correct and exist in Entra ID.
All users¶
The following configuration grants all users access your application:
Groups and all users¶
If you want to implement custom group-based authorization logic in your application, combine the above two configurations:
spec:
azure:
application:
enabled: true
allowAllUsers: true
claims:
groups:
- id: "<group identifier>"
This has the following effects:
- All users will have access to your application
- If a given user is a direct member of any matching group, the group's identifier will be emitted in the
groupsclaim.
Now that you have granted access to your consumers, they can now acquire tokens that target your application, either:
You will need to validate these tokens in your application.
Validate tokens¶
Verify incoming requests from consumers by validating the JWT Bearer token in the Authorization header.
JWT Validation
Validating a JWT involves a number of steps. These steps are outlined and described below in a language- and framework-agnostic way.
Libraries for token validation
We recommend using a library in your language of choice to handle all the validation steps described below. Here are some recommended libraries:
- navikt/oasis (JavaScript)
- navikt/token-support (Java / Kotlin)
Validation is also supported by many popular frameworks:
- Ktor (Kotlin)
- Spring Security (Java / Kotlin)
To validate the token, start by validating the signature and standard time-related claims.
Additionally, perform the following validations:
Issuer Validation
Validate that the iss claim has a value that is equal to either:
- the
AZURE_OPENID_CONFIG_ISSUERenvironment variable, or - the
issuerproperty from the metadata discovery document. The document is found at the endpoint pointed to by theAZURE_APP_WELL_KNOWN_URLenvironment variable.
Audience Validation
Validate that the aud claim is equal to the AZURE_APP_CLIENT_ID environment variable.
Signature Validation
Validate that the token is signed with a public key published at the JWKS endpoint. This endpoint URI can be found in one of two ways:
- the
AZURE_OPENID_CONFIG_JWKS_URIenvironment variable, or - the
jwks_uriproperty from the metadata discovery document. The document is found at the endpoint pointed to by theAZURE_APP_WELL_KNOWN_URLenvironment variable.
Claims Validation
Other claims may be present in the token. Validation of these claims is optional.