Custom Authentication with Azure API Gateway

Custom Authentication with Azure API Gateway

This article shows an Azure API management policy sample that demonstrates how to secure API access by using an external authenticator encapsulating custom authentication logic.

Before we look into implementation of Custom authentication with Azure API Management, we shall look about API management.

Azure API Management (APIM) helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. APIM enables you to create and manage modern API gateways for existing backend services hosted anywhere.

Benefits of using azure API management

  • Use advanced security policies like JWT tokens, certificates, and other credentials
  • Secures backend services by gating access with API keys.
  • Prevents Denial of Service (DOS) attacks by using throttling
  • And many other benefits

Architecture of APIM:

Architecture of APIM

Azure API management is on top of our three back-end APIs (Orders API, Catalog API and Marketing APIs). Every call to these back-end APIs goes through Azure API management service.


We want to implement custom authentication in the project wherein authentication is done through a third party authentication server. We want every incoming request to be validated against the authentication server, so each request should be redirected to and have the token validated. If the token is valid then let it proceed with the request or else send 401.

How to secure API access by using external authorizer custom authentication logic?

External authenticator evaluates only the information contained within the Authorization header. Alternatively, for example, a full copy of the incoming request can be forwarded to the authenticator by setting “mode” to copy in the send-request policy.

External authenticator responds with status that is set to 200 OK if authentication was successful and 401 Unauthorized if it wasn’t.

Getting started

To use API Management, we need to create APIs. Each API consists of one or more operations, and each API can be added to one or more products. To use an API, developers subscribe to a product that contains that API, and then they can call the API’s operation, subject to any usage policies that may be in effect using the Azure portal.

Create a new service

From the Azure portal menu, select Create a resource. You can also select Create a resource on the Azure Home page.

Create Resource

– On the New page, select Integration > API Management

API management

– In the API Management service page, enter settings

Create API Management

– It will take some minutes to create the instance of service. Once it is ready, we will be able to add APIs and apply policies on those APIs.

Go to your API Management instance

– Once, API Management service is deployed and status online. We will have the below screen and create new APIs.

– Now, I already have an Orders API which is open and does not have any authentication mechanism. So, anyone who has the URL of this API can call this and view the list of orders in the response. See the request below done using Postman:

– I need to add the custom authentication for this order endpoint. We need to add this API in Azure API management and add the policy to do the custom authentication. I have added the Orders API.
custom authentication API

– To add the policy in the orders endpoint, we need to go to the Inbound Processing section and click on the icon as highlighted in above screenshot to set the policy.

– To authenticate the request using custom auth. We need an external authorizer’s URL (e.g. where we need to redirect the request first and check the response code (200 OK) to verify authentication of request.

– Before redirecting the request to the authentication provider, – First, we need to check the Authentication header and if it is present then only redirect otherwise respond with 401 Unauthorized. See the policy below verify this:

– After validating the request header, we need to forward the request to authentication server using below code:

request to authentication server

In the above screen, we have stored the response of the request in the using this:


And we are extracting the response to get the status code of the authorizer’s response like:

<set-variable name=”status” value=”@(((IResponse)context.Variables[“authResponse”]).StatusCode)” />

So, we will have a status variable which contains the status code of the authentication server response. And we need to check the status code that is set to 200 OK if authorization was successful and 401 Unauthorized if it wasn’t.

That’s it! We are done with our APIM policy and now the order endpoint request will be first redirected to the external authorizer endpoint and based on the status code of response it will call our endpoint.

Inbound policy: You can see full policy code here.

Wrapping Up

This was quite extensive, right? We believe you found it resourceful and that you would use it in your projects. If you intend to keep things simple in terms of cloud migration services, you could reach out to a reliable cloud migration company like ours. We also specialize on Azure application development.

The following two tabs change content below.

Haresh Hanat

Sr. Software Developer(.Net) at Dev Information Technology Ltd.
Haresh Hanat is a computer engineer by education and a senior software developer by profession. With over seven years of experience as a software engineer, Haresh is an expert at .NET, MEAN stack, and cloud technologies. During his time of leisure, Haresh likes to play cricket. He is a Microsoft certified Azure cloud developer with exceptional problem solving and grasping skills. He aims to develop cutting-edge software solutions in the future to come!

Leave a Reply

Your email address will not be published. Required fields are marked *