Is this the right way to implement oAuth 2.0 for azure API management

Question

I followed https://www.youtube.com/watch?v=TRrBqNYtyj8 video to secure my backend API using Azure API management. After following the steps the workflow was not working and I had to add an additional step. After adding the step, I got oAuth workflow working.

But I wonder if this is the right way to implement oAuth workflow? As per this article, I am suppose to add inbound policy which I have not implemented. Please provide suggestions

I followed following steps:

1. Using Azure AD add backend application.

   

2. Go to Manifest and update accessTokenAcceptedVersion to 2 and save. Set the appId URI for backend app & add scope

   

3. Enable authentication for backend API. In the Redirect URI's textbox, after backend api url add /.auth/login/aad/callback

   

4. Now go to back to app service (assuming App service is hosting your backend api) > Authentication > Add an identity provider > from next window select Microsoft as identity provider and select Pick an existing app registration in this directory radio button from app registration type. Keep remaining settings as default and click add.

   

5. At this point of time your backend api is secure.

6. Register client app

   

7. Grant Permission. After granting permission, Click on Manifest and change value of accessTokenAcceptedVersion to 2

   

8. Now select api permission > Click + add permission > select My API’s tab > select the backend app we created and select scope & click Add permissions.

   

9. Create Client Certificate: Under client app, select Certificates & Secrets > Click on + New Client Secret > provide a some description & click Add.

Following are additional steps I added which was not available in video:

1. Under client app > Overview > Endpoints > Make note of token and authorize endpoints:

   

2. Open API Management > select OAuth 2.0 + OpenID connect > + Add button

   

   

3. Now open APIM > APIs > Select your API > Settings > Under Security > User Authorization select oAuth2.0 radio button.

Answer 1

Please note that, inbound policy is used to check whether the Access token is valid or not. It checks the value of the access token in the aud claim.

You can add the inbound policy based on your requirement like below:

Go to APIM -> APIs -> Select you API -> All Operations -> Select Inbound processing

You can try the below sample Policy and Save:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.microsoftonline.com/aadtenant/v2.0/.well-known/openid-configuration" />
    <required-claims>
        <claim name="aud">
            <value>backendappclient-id</value>
        </claim>
    </required-claims>
</validate-jwt>

The steps who have followed to implement oAuth workflow is accurate and will secure backend API using Azure API management successfully.

I tried to reproduce the same in my environment and got the results successfully like below:

Reference:

Authorize test console of API Management developer portal using OAuth 2.0 user authorization - Azure API Management