What is the equivalent of an AWS Lambda Authorizer within Azure API Management?

Question

I am looking to create a custom API authoriser within Azure.

I have an Azure API Management created, which has a single API. That single API connects to a backend Azure Function.

Right now, the only "authorization" is using the Subscription key.

I would like to create a custom authoriser (preferable an azure function) on my API which gets invoked BEFORE hitting the backend Azure function.

The custom authorizer, in this case, would be doing a webhook payload validator

I would like to create a specific authorizer because it would save me copying and pasting code into each backend Azure function.

I have seen the following article: Authorize requests using external authorizer, but this would require me to put the URL of the Azure function, and I would have to build a custom authorization onto that function. It all seems messy.

So, my question is, is there an easy way to create an Azure function (or equivalent) that can do a custom authorization? Like in AWS you have an API Gateway Lambda authorizers

Answer 1

The "Brazil" example on AWS page you provided is purely similar to native functionality in APIMs policy -> validate-jwt. Use this, enforce your API callers to user Authorization: Bearer token (where they have to generate it first towards your Azure tenant/issuer), then analyze it with this policy validate-jwt, you can specify there various options (e.g. accept only specific audiences, appids, upns etc)

• https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT

• https://docs.microsoft.com/en-us/azure/api-management/policies/authorize-request-based-on-jwt-claims