How to integrate Azure API Management OAuth with Data API Builder (Azure AD JWT) when publishing APIs? #2892
Description
Description:
Scenario:
I have an API built using Azure Data API Builder (DAB).
DAB is configured with Azure AD JWT authentication and works fine when called directly.
Example dab-config.json snippet:
JSON"authentication": { "provider": "AzureAD", "jwt": { "audience": "", "issuer": "https://login.microsoftonline.com//v2.0" }}Show more lines
When I publish this API through Azure API Management (APIM), APIM enforces its own OAuth 2.0 validation (using validate-jwt policy).
Both APIM and DAB expect an Authorization: Bearer header, but the tokens differ:
APIM validates tokens issued for APIM’s App Registration.
DAB validates tokens issued for DAB’s App Registration.
Problem:
If I pass the token for APIM, DAB rejects it (audience mismatch).
If I pass the token for DAB, APIM rejects it (audience mismatch).
I want to keep both layers secure (APIM + DAB) without disabling DAB’s JWT validation.
What I’ve tried:
Added validate-jwt in APIM policy for APIM App audience.
Tried forwarding the original token to DAB → fails because DAB expects its own audience.
Considered On-Behalf-Of (OBO) flow in APIM policy to exchange the APIM token for a DAB token.
Wrote a policy using to call AAD /oauth2/v2.0/token with urn:ietf:params:oauth:grant-type:jwt-bearer and requested_token_use=on_behalf_of.
Deployment works after fixing XML structure, but this adds complexity and latency.
Questions:
Is OBO flow in APIM policy the recommended approach for this scenario?
Does DAB support any configuration to trust multiple audiences (e.g., APIM and DAB App IDs) so we can avoid token exchange?
Are there best practices for APIM + DAB integration when both enforce Azure AD JWT validation?
Any official guidance or sample policies for this pattern?
Environment:
DAB: Hosted on Azure App Service (China region, but using Global Azure AD tenant).
APIM: Global Azure.
AAD Tenant: Global Azure AD.
Auth Flow: Client → APIM (OAuth) → DAB (Azure AD JWT).
Would appreciate any official recommendations or examples for this integration pattern. Thanks!