Skip to content

Secure your API with Entra ID

This how-to guides you through the steps required to secure your API using Entra ID:

Use webproxy for outbound network connectivity from on-premises environments

If you're on-premises, you must enable and use webproxy to access Entra ID.

Grant access to consumers

Depending on who your consumers are, you must grant access to either applications, users, or both.

Applications

By default, no applications have access to your API. You must explicitly grant access to consumer applications.

app.yaml
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app-a

        - application: app-b
          namespace: other-namespace

        - application: app-c
          namespace: other-namespace
          cluster: other-cluster

The above configuration authorizes the following applications:

  • application app-a running in the same namespace and same cluster as your application
  • application app-b running in the namespace other-namespace in the same cluster
  • application app-c running in the namespace other-namespace in the cluster other-cluster

Users

By default, no users have access to your application. You must explicitly grant access to either specific groups, all users, or both.

Groups

The following configuration only grants users that are direct members of the specified groups access to your application:

app.yaml
spec:
  azure:
    application:
      enabled: true
      allowAllUsers: false
      claims:
        groups:
          - id: "<group identifier>"

Warning

Invalid group identifiers are skipped and will not be granted access to your application. Ensure that they are correct and exist in Entra ID.

All users

The following configuration grants all users access your application:

app.yaml
spec:
  azure:
    application:
      enabled: true
      allowAllUsers: true

Groups and all users

If you want to implement custom group-based authorization logic in your application, combine the above two configurations:

app.yaml
spec:
  azure:
    application:
      enabled: true
      allowAllUsers: true
      claims:
        groups:
          - id: "<group identifier>"

This has the following effects:

  • All users will have access to your application
  • If a given user is a direct member of any matching group, the group's identifier will be emitted in the groups claim.

Validate tokens

Now that you have granted access to your consumers, they can now acquire tokens that target your application, either:

You will need to validate these tokens in your application.

Recommended JavaScript Library

See https://github.com/navikt/oasis that helps with token validation and exchange in JavaScript applications.

To validate the token, start by validating the signature and standard time-related claims. Additionally, perform the following validations:

Issuer Validation

Validate that the iss claim has a value that is equal to either:

  1. the AZURE_OPENID_CONFIG_ISSUER environment variable, or
  2. the issuer property from the metadata discovery document. The document is found at the endpoint pointed to by the AZURE_APP_WELL_KNOWN_URL environment variable.

Audience Validation

Validate that the aud claim is equal to the AZURE_APP_CLIENT_ID environment variable.

Signature Validation

Validate that the token is signed with a public key published at the JWKS endpoint. This endpoint URI can be found in one of two ways:

  1. the AZURE_OPENID_CONFIG_JWKS_URI environment variable, or
  2. the jwks_uri property from the metadata discovery document. The document is found at the endpoint pointed to by the AZURE_APP_WELL_KNOWN_URL environment variable.

Claims Validation

Other claims may be present in the token. Validation of these claims is optional.