Azure API Management - Authorize Attribute

Question

I'm hosting my API in Azure and configured API Management for authentication and authorization. Do I still need to include the [Authorize] attribute on my api controllers? If so, what would I need in the Startup class to allow access when calling through Azure, but be unauthorized if call the endpoints directly?

    [ApiController]
    [Route("api/[controller]")]
    public class TestController : BaseController

Answer 1

As per my understanding from your question you can take up in this way.

1. Still go with [Authorize], as after hosting in APIm stil app need to authorize the user, post authentication.

2. Authentication will be there in startup.cs

   services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options => { options.Authority = <<Pass your authority>>; options.Audience = <<Pass audience>>; options.RequireHttpsMetadata = true; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false }; });

3. Use Validate Jwt Inbound policy in APIM.

4. But if the user is able to generate a required Bearer token then it should be able to access. If you want to restrict if it's not from APIM then you can check the APIM subscription Key in the header & can decline the user request.