Upstream Azure AD Service Auth

This policy adds a Authorization header to the upstream request that allows using Azure AD to authenticate requests to your origin server. This is a useful means of securing your origin server so that only your Zuplo gateway can make requests against it.

Using this policy allows you to delegate authentication and authorization to your gateway without writing any code on your origin service. For instructions on how to configure Azure AD authentication see Configure your App Service or Azure Functions app to use Azure AD login.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-upstream-azure-ad-service-auth-inbound-policy",
  "policyType": "upstream-azure-ad-service-auth-inbound",
  "handler": {
    "export": "UpstreamAzureAdServiceAuthInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "activeDirectoryClientId": "20edbb34-13e9-42d0-a63c-1b6a0a20d02d",
      "activeDirectoryClientSecret": "$env(ACTIVE_DIRECTORY_CLIENT_SECRET)",
      "activeDirectoryTenantId": "b8e4141e-31f4-43e3-9a96-f97f3eba1eea",
      "expirationOffsetSeconds": 300,
      "tokenRetries": 3
    }
  }
}

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

activeDirectoryTenantId <string> (Required) -
Azure Active Directory Tenant ID.
activeDirectoryClientId <string> (Required) -
The Application (client) ID of the Azure AD App Registration.
activeDirectoryClientSecret <string> (Required) -
The client secret of the Azure AD App Registration.
tokenRetries <number> -
The number of times to retry fetching the token in the event of a failure..
Defaults to 3.
expirationOffsetSeconds <number> -
The number of seconds less than the token expiration to cache the token.
Defaults to 300.

Upstream Azure AD Service Auth Policy

Configuration

Policy Options

Using the Policy