Skip to content

How to handle dual JWT validation (APIM OAuth + Backend Azure AD) without breaking Data API Builder integration? #145

New issue
New issue
Open
Open
How to handle dual JWT validation (APIM OAuth + Backend Azure AD) without breaking Data API Builder integration?#145
@ailivesmatter

Description

@ailivesmatter
ailivesmatter
opened on Oct 1, 2025

Description:
Scenario:

I have an API backend built with Azure Data API Builder (DAB).
DAB enforces Azure AD JWT validation (configured with audience and issuer in dab-config.json).
When calling DAB directly with a token for its App Registration, everything works fine.

Problem after publishing via APIM:

The API is onboarded to Azure API Management, which also enforces OAuth 2.0 validation using validate-jwt policy.
Both APIM and DAB expect Authorization: Bearer , but:

APIM expects a token for APIM’s App Registration.
DAB expects a token for DAB’s App Registration.

If I send APIM’s token → DAB rejects it (audience mismatch).
If I send DAB’s token → APIM rejects it (audience mismatch).

Goal:

Keep both layers secure (APIM + DAB) without disabling DAB’s JWT validation.
Avoid unnecessary complexity or performance penalties if possible.

What I’ve tried:

Added validate-jwt in APIM for APIM App audience.
Tried forwarding the original token to DAB → fails because DAB validates its own audience.
Implemented On-Behalf-Of (OBO) flow in APIM policy:

send-request to AAD /oauth2/v2.0/token with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer and requested_token_use=on_behalf_of.
Successfully exchanges APIM token for DAB token and rewrites Authorization header.

This works but adds complexity and latency.

Questions:

Is OBO flow in APIM policy the recommended approach for this scenario?
Are there built-in APIM features (e.g., authentication-managed-identity or delegation) that can simplify this pattern?
Any best practices for integrating APIM with backends like DAB that enforce their own Azure AD JWT validation?
Is there a way to validate APIM token at the gateway but forward DAB token without OBO (e.g., dual token headers)?

Environment:

APIM: Global Azure
AAD Tenant: Global Azure AD
Backend: Azure Data API Builder hosted on Azure App Service (China region, but using Global AAD)
Auth Flow: Client → APIM (OAuth) → DAB (Azure AD JWT)

Would appreciate any official guidance, recommended patterns, or sample policies for this scenario. Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions