替代Azure应用程序代理需要授权标头的代理

发布于 2025-02-10 02:12:44 字数 2853 浏览 1 评论 0原文

我正在使用Azure API管理来连接通过Azure Active Directory确保的本地后端服务（API）。但是在我的设置中，Azure Application代理 +后端服务处于冲突状态，因为它们都需要或要求授权HTTP标头。

情况：

APIM => Application Proxy => Managed Identity => Backend service (API)
        |--> requires Authorization: Bearer      | 
                                                 |
                                                 |--> also requires Authorization: Bearer

问题在于，后端服务和应用程序代理/托管身份都需要相同的HTTP标头；授权。使用托管身份时，此HTTP标头字段会被应用程序代理 /托管身份覆盖或劫持。

从跟踪日志中的示例：

authentication-managed-identity (0.577 ms)
{
    "message": "Obtaining managed identity token using clientId:1139001d-75a0-451a-8fdc-14672baad4f4 AAD Authority:https://login.windows.net/e64eed3b-130b-4001-b50d-f867ed318682 for 1ca6a7dc-02e0-409c-aa39-c378cf0620db audience succeeded.",
    "errorResponse": null
}

set-header (0.009 ms)
{
    "message": "Specified value was assigned to the header (see below).",
    "header": {
        "name": "Authorization",
        "value": "Bearer ...
}

我尝试过的事情：

在APIM中，尝试在＆lt; backend＆gt;策略中覆盖授权标头；不幸的是，您无法在APIM中添加其他后端策略（请参阅此线程）;
azure docs ;
在后端服务中，不可能使用其他HTTP标题名称进行授权；

我的APIM配置的一个示例：

<policies>
    <inbound>
        <base />
        <!-- [required] fetch a token from Azure AD -->
        <authentication-managed-identity resource="abc...123" client-id="def...456" 
            output-token-variable-name="msi-access-token" ignore-error="false" />

        <!-- [required] inject the token in Authorization header, otherwise you need to login with AD first; this overwrite is the problem.
        -->

        <set-header name="Authorization" exists-action="override">
            <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
        </set-header>
    </inbound>
    <backend>
        <base />
        <!-- cannot add additional policies here? -->
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

问题：有没有办法防止在此设置中覆盖授权标头？还是不同的是，将原始授权交付给后端服务？

另外，是否有一种方法可以使用不同的身份验证方法作为应用程序代理/托管身份，而不是使用授权标头（也许是其他名称或通过HTTP主体）？

原文

I am using Azure API Management to connect to an on-prem backend service (API) that is secured through Azure Active Directory. But in my setup both Azure Application Proxy + the backend service are in conflict because they both require, or claim, the Authorization http header.

The situation:

APIM => Application Proxy => Managed Identity => Backend service (API)
        |--> requires Authorization: Bearer      | 
                                                 |
                                                 |--> also requires Authorization: Bearer

The problem is that both the backend service and App Proxy/Managed identity require the same http header; Authorization.
When using managed identity, this http header field gets overwritten, or hijacked, by the App Proxy / Managed Identity.

Example from the trace logs:

authentication-managed-identity (0.577 ms)
{
    "message": "Obtaining managed identity token using clientId:1139001d-75a0-451a-8fdc-14672baad4f4 AAD Authority:https://login.windows.net/e64eed3b-130b-4001-b50d-f867ed318682 for 1ca6a7dc-02e0-409c-aa39-c378cf0620db audience succeeded.",
    "errorResponse": null
}

set-header (0.009 ms)
{
    "message": "Specified value was assigned to the header (see below).",
    "header": {
        "name": "Authorization",
        "value": "Bearer ...
}

Things I've tried:

In APIM, attempt to overwrite the Authorization header in a <backend> policy; unfortunately, you cannot add additional backend policies in APIM (see this thread);
Haven't found anything the Azure docs ;
It is not possible in the backend service to use a different http header name for Authorization;

An example of my APIM configuration:

<policies>
    <inbound>
        <base />
        <!-- [required] fetch a token from Azure AD -->
        <authentication-managed-identity resource="abc...123" client-id="def...456" 
            output-token-variable-name="msi-access-token" ignore-error="false" />

        <!-- [required] inject the token in Authorization header, otherwise you need to login with AD first; this overwrite is the problem.
        -->

        <set-header name="Authorization" exists-action="override">
            <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
        </set-header>
    </inbound>
    <backend>
        <base />
        <!-- cannot add additional policies here? -->
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

The question: is there a way to prevent the Authorization header being overwritten in this setup? Or differently put, deliver the original Authorization: Bearer to the backend service?

Alternatively, is there a way to use a different means of authentication for App Proxy/Managed identity, instead of using the Authorization header (perhaps a different name, or through http body)?

分享到QQ

分享到微博