Securing an API using OAuth 2.0 in Azure API Management

Posted On December 4, 2020 by Shrusti Talati Posted in

Part 1: Configuration of Applications in Azure AD

Introduction

Configuring OAuth 2.0 for your APIs hosted in Azure API Management adds an extra layer of security and prevents unauthorized access. This is a very important configuration form Security point of view for your Endpoints and is provided out of the box by Azure. This is the first part of a series of Blogs on Securing your API using OAuth 2.0 in Azure API Management. Please go through all the parts to find easy and detailed steps that will help you configure the OAuth 2.0 Authentication.

Register an application (Backend App) in Azure AD to represent the API

To protect an API with Azure AD, the first step is to register an application in Azure AD that represents the API.

  1. Go to the Azure portal to register your application. Search for and select APP registrations.
  2. Select New registration.
  1. When the Register an application page appears, enter your application’s registration information:
    1. In the Name section, enter a meaningful application name that will be displayed to users of the app, such as backend-app.
    1. In the Supported account types section, select an option that suits your scenario
  1. Leave the Redirect URI section empty.
  2. Select Register to create the application.

On the app Overview page, find the Application (client) ID value and record it for later.

Select Expose an API and set the Application ID URI with the default value. Record this value for later.

Select the Add a scope button to display the Add a scope page. Then create a new scope that’s supported by the API (for example, Files.Read). Finally, select the Add scope button to create the scope. Repeat this step to add all scopes supported by your API.

When the scopes are created, make a note of them for use in a subsequent step.

Register Consumer application in Azure AD to represent a client application (Client App)

Every client application that calls the API needs to be registered as an application in Azure AD as well. In this example, the client application is the Developer Console in the API Management developer portal. Here’s how to register another application in Azure AD to represent the Developer Console.

  1. Go to the Azure portal to register your application. Search for and select APP registrations.
  2. Select New registration.
  1. When the Register an application page appears, enter your application’s registration information:
    1. In the Name section, enter a meaningful application name that will be displayed to users of the app, such as client-app.

In the Supported account types section, select option as required.

  1. In the Redirect URI section, select Web and leave the URL field empty for now.
  2. Select Register to create the application.

On the app Overview page, find the Application (client) ID value and record it for later.

Now, create a client secret for this application to use in a subsequent step.

  1. From the list of pages for your client app, select Certificates & secrets, and select New client secret.
  2. Under Add a client secret, provide a Description. Choose when the key should expire, and select Add.

When the secret is created, note the key value for use in a subsequent step.


Share Story :

SEARCH :

FOLLOW CLOUDFRONTS BLOG :


We’d love to hear from you!

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close