My GitHub repo shows you how to build a simple web app that has a user interactively sign-in and then call an API protected via the OAuth2 validate-jwt token policy. There is also an example of a daemon (background process with no user interactively signed in) accessing this same API. The APIM policy will also log the Application ID of the calling AAD application and log the request to Azure Event Hub for further processing.
In both cases, the APIM & backing API don’t know or care about how the calling application authenticated & got an access token (either via Authorization Code Flow or Client Credential Flow). The same validate-jwt policy can be used for both.
How logging AAD client app works in APIM policy
The APIM XML policy below is based on the Advanced Monitoring documentation page. It also includes code to decode the JWT token that is received on every API call, decode it, capture the appid claim and then send it to Event Hub so we can capture the calling AAD application.
<log-to-eventhub logger-id="eventHubLogger" partition-id="0">@{
var requestLine = string.Format("{0} {1} HTTP/1.1\r\n",
context.Request.Method,
context.Request.Url.Path + context.Request.Url.QueryString);
var body = context.Request.Body?.As<string>(true);
if (body != null && body.Length > 1024)
{
body = body.Substring(0, 1024);
}
var headers = context.Request.Headers
.Where(h => h.Key != "Authorization" && h.Key != "Ocp-Apim-Subscription-Key")
.Select(h => string.Format("{0}: {1}", h.Key, String.Join(", ", h.Value)))
.ToArray<string>();
var headerString = (headers.Any()) ? string.Join("\r\n", headers) + "\r\n" : string.Empty;
var jwt = context.Request.Headers.GetValueOrDefault("Authorization",string.Empty).Split(' ').Last().AsJwt();
var appId = jwt.Claims.GetValueOrDefault("appid", string.Empty);
return "request:" + context.Variables["message-id"] + "\n"
+ requestLine + headerString + "\r\n" + body + "\n"
+ "appId:" + appId;
}</log-to-eventhub>Pre-requisites
- Azure subscription & resource group
- Azure CLI
- dotnet CLI
- .NET 6
- Azure Function CLI
- PowerShell
- Visual Studio Code
- Event Hub Visual Studio Code Extension
Run the sample apps
Set up Event Hub logging in VS Code to see appid captured from access tokens
- Open VS Code.
- Open the
Command Palette(Ctrl+Shift+P) and type inEventHub: Select EventHub. Select your Event Hub. - Open the
Command Palette(Ctrl+Shift+P) and type inEventHub: Start Monitoring Event Hub Message.This will open theAzure Event Hub ExplorerOutput window.As you run each app, you will see the output from the Event Hub logger policy in APIM, capturing theappidfield.
Run the user app
- Update the
/web/client/user/appsettings.jsonfile with your local values.- You can get a
EchoAPISubscriptionKeyfrom the Azure portal. Open theAPI Managementinstance and click on thesubscriptionsblade. Select aProductand click on the ellipsis, then click onShow/hide keys.
- You can get a
- Run the .NET codedotnet run –project ./web/client/user
- Run the
Azure Event Hub Explorerto see the messages being sent to theeh-logicApimKey-ussc-demotopic. - Open a browser to the default address (https://localhost:7071)
- Sign-in if prompted
- Click on the
Call APIbutton - Notice the values that have been sent to the Event Hub from your policy in APIM.
Run the api app
- Update the
/web/client/api/appsettings.jsonfile with your local values.- You can get a
EchoAPISubscriptionKeyfrom the Azure portal. Open theAPI Managementinstance and click on thesubscriptionsblade. Select aProductand click on the ellipsis, then click onShow/hide keys.
- You can get a
- Run the .NET codedotnet run –project ./web/client/api
- Run the
Azure Event Hub Explorerto see the messages being sent to theeh-logicApimKey-ussc-demotopic. - Open a browser to the default address (https://localhost:7108)
- Sign-in if prompted
- Change the URL to the API endpoint (https://localhost:7108/vehicle)
- Notice the values that have been sent to the Event Hub from your policy in APIM.