none
Sign a JWT with RSA SHA256 in APIM Policy Expression RRS feed

  • Question

  • Hi I'm trying to implement a scenario which involves integration with Salesforce. 

    All requests to Salesforce need a bearer token in the Authorization header. To get the token we need to implement OAuth 2.0 JWT Profile, ref. https://tools.ietf.org/html/rfc7523. This involves providing a signed JWT to Salesforce token endpoint and it issues an access token. The process is described here: https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5 

    The scenario is similar to http://blog.ibiz-solutions.se/uncategorized/exposing-sap-gateway-services-with-api-management/ which reaches out and fetches a token then uses the token. 

    The question is, does anyone know if the scenario is supported and if so how can we do the RSA SHA256 signature in APIM?

    I can't see the RSACryptoServiceProvider in https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions and there's an error in the policy editor if you try and new up a RSACryptoServiceProvider.

    Looks like we need to add another component, such as an App Service, just to get the token, which doesn't seem right.

    Any help greatly appreciated!

    Thanks


    Thursday, October 4, 2018 2:34 PM

Answers

  • Duke,

    That sounds like the right thing to do. I'd appreciate it if you left some feedback on feedback.azure.com regarding this method. It feels like there should be a "custom authorization" ability in APIM, although ideally it just supports all of them. Having to use a backend just for that seems excessive to me too!

    Glad it's all working,

    Cody

    Monday, October 15, 2018 6:31 PM

All replies

  • Hello Duke,

    Do you need the APIM Gateway to actually manage this token, or the API on the backend? If you're pulling data from Salesforce, you should be setting up this token in the actual API itself - not the management policy. Or are you trying to use the same token to authenticate requests to your API?

    Let me know!

    Friday, October 12, 2018 5:45 PM
  • Hi Cody, thanks for the response.

    We were looking to 'project' the Salesforce API onto APIM for consumption by an external client. APIM would just delegate all requests directly to Salesforce, there's no transformation of the service requests, only the auth scheme:-

    Client -> APIM -> Salesforce

    Same pattern as http://blog.ibiz-solutions.se/uncategorized/exposing-sap-gateway-services-with-api-management/

    The reason for this is the external client integrates with an existing auth scheme which is different to the auth scheme on Salesforce so we wanted to hide the Salesforce OAuth JWT flow from the client, and they just continue to use their existing auth mechanism. In a later phase of this work we want to a new service contract to APIM and transform the requests before sending to Salesforce.

    Because this is just a passthrough delegation scenario with no functionality in the service other than getting the Salesforce OAuth token for calling Salesforce from APIM, we didn't think there was any reason for adding a backend API between APIM and Salesforce. But it seems its required right now, and we've implemented:

    Client -> APIM -> AppService -> Salesforce

    The AppService uses Microsoft.IdentityModel.Tokens.Jwt to do the Salesforce auth in a few lines of code which i thought we could have scripted in APIM.

    thanks!

    Sunday, October 14, 2018 9:43 AM
  • Duke,

    That sounds like the right thing to do. I'd appreciate it if you left some feedback on feedback.azure.com regarding this method. It feels like there should be a "custom authorization" ability in APIM, although ideally it just supports all of them. Having to use a backend just for that seems excessive to me too!

    Glad it's all working,

    Cody

    Monday, October 15, 2018 6:31 PM
  • Thanks, I've created a suggestion...

    https://feedback.azure.com/forums/34192--general-feedback/suggestions/35736220-sign-a-jwt-with-rsa-sha256-in-apim-policy-expressi

    thanks

    Tuesday, October 16, 2018 8:38 AM