I followed https://www.youtube.com/watch?v=TRrBqNYtyj8 video to secure my backend API using Azure API management. After following the steps the workflow was not working and I had to add an additional step. After adding the step, I got oAuth workflow working.
But I wonder if this is the right way to implement oAuth workflow? As per this article, I am suppose to add inbound policy which I have not implemented. Please provide suggestions
I followed following steps:
Using Azure AD add backend application.
Go to Manifest and update
accessTokenAcceptedVersion
to 2 and save. Set theappId URI
for backend app &add scope
Enable authentication for backend API. In the
Redirect URI's
textbox, after backend api url add/.auth/login/aad/callback
Now go to back to
app service
(assuming App service is hosting your backend api) >Authentication > Add an identity provider
> from next window selectMicrosoft as identity provider
and select Pick anexisting app registration
in this directory radio button from app registration type. Keep remaining settings as default and click add.At this point of time your backend api is secure.
Register client app
Grant Permission. After granting permission, Click on Manifest and change value of
accessTokenAcceptedVersion
to2
Now select
api permission
> Click +add permission
> selectMy API’s
tab > select the backend app we created and select scope & clickAdd permissions
.Create Client Certificate: Under client app, select
Certificates & Secrets
> Click on +New Client Secret
> provide a some description & click Add.
Following are additional steps I added which was not available in video:
Please note that, inbound policy is used to check whether the Access token is valid or not. It checks the value of the access token in the
aud
claim.You can add the inbound policy based on your requirement like below:
Go to APIM -> APIs -> Select you API -> All Operations -> Select Inbound processing
You can try the below sample Policy and Save:
The steps who have followed to implement oAuth workflow is accurate and will secure backend API using Azure API management successfully.
I tried to reproduce the same in my environment and got the results successfully like below:
Reference:
Authorize test console of API Management developer portal using OAuth 2.0 user authorization - Azure API Management