I have an Azure APIM service that connects behind the scenes to the Dynamics Web API. I have an existing App Registration (backend-crm-api) that exposes access to the Dynamics Web Api - this is done via App Registration.
We would like to have a user connect to APIM, take their user token and pass that to the Dynamics Web Api to query against.
I thought the way to do this was to create another App Registration and use the validate-azure-ad-token to validate the token and then pass this along to our query in API to use as the token (could not find a concrete example on this).
I've done the following;
- Created another App Registration - front-end-client - that consumes the backend-crm-api app.
- On the front-end-client, I am validating the incoming token via validate-azure-ad-token.
Both the front-end-client and backend-crm-api app and my user, have access to the CRM tenant - I've previously validated their permissions for the query.
I "thought" by using validate-azure-ad-token, I'd be getting the token of my own user account that I would then be validating and then be able to use to query the dynamics web API with.
However, whenever I pass this token into the system, I get a 401 Anauthorized back from the client? In the pic above, I am connecting as the dynamics-crm-backend-api, but I have tried this with the front-end API and both return unauthorized?
validate-azure-ad-tokendoes only that - validates token sent by client, additional options on the policy merely make it convenient to expose that very same token as a variable for latter processing in policy if needed. Judging by headers, your 401 is coming from backend-crm-api (you can confirm that via Trace).It's a bit unclear from your explanation who currently obtains token to call backend-crm-api. If this is done inside APIM via custom policies or Authorizations functionality:
Then all you need to make sure is that you obtain correct token to call CRM.
If, on the other hand, at the moment it is your clients that obtain the token for CRM, then either you need to invest into making it possible for APIM to obtain own (non user) token to call CRM (like above), or keep users sending CRM tokens to APIM for validation and have APIM forward those tokens to CRM: