OAuth Prerequisites
Start course

This course deals with how to deploy, configure, and manage some keys aspects of Azure API management (APIM). In particular, we focus on the authentication mechanism and go into depth about how to set up OAuth 2.0, including creating the Azure AD required application registrations. To help with understanding and troubleshooting the OAuth flow, we utilize Postman to check and validate our configuration.

Next, we take a look at how we can alter API requests at various scopes using API policies. Finally, we look at how to view effective API policies that span multiple scopes and also how to trace API policies during runtime.

Learning Objectives

  • Deploy Azure API Management and import an existing API
  • Gain an understanding of how the configure authentication against APIM using OAuth 2.0
  • Implement API policies against the imported API to alter the API request
  • Use Postman to make API requests against APIM and request and use OAuth authorization tokens
  • Secure the imported API by requiring a valid Azure AD token

Intended Audience



This demo will be focused on setting up the prerequisites, which are critical to creating the configuration items for our OAUTH and making sure we have everything we need to set up the configuration. We'll be creating two applications in Azure ID, and we will be setting this OAUTH token flow request up into Postman. 

So the first thing we need to do is gather some information. Here is our cyber labs domain, we can see the name, there, Cyber Labs on, and it's also helpful to grab sometimes the directory ID. So if you've got a properties, you can see the directory ID here. I've recorded this information in my notepad, so we have the My Cyber Labs and the Tenant ID. 

Next we wanna create the applications. And it's important to note here that you need to use the application registrations, not DV-2 application registrations, which are currently in preview. So if we've got APP registrations and we create a new application registration. We gonna call this API back end, and for the sign on URL, we want to use for now just a HTTPS on our local host. So we'll create that and click okay. 

Now we wanna record the application ID, so we can click this copy button here, and take that to our notepad, and turn here and we need to create the next application. So new application again, API front end, and for the sign on URL here, we want to use the API's developer portal. If we click copy here, and return to our application creation, with forward slash sign in. And if we wanna look, I've recorded that information here as well, dot sign in. And click okay for create. 

We also want to grab this application ID, so that's API front end, and we wanna put that in our API front end text.

The next thing we're going to do is create a secret key, that we're going to use in the front end application to allow us to communicate and exchange the authorization token, to get an access token. We need to go to the settings and go to keys. Here we have no keys. So we're gonna call this secret. And duration never expires and save. Now you'll only get to see this value once. So it's important that you do copy it. This is a secure key and it's important that you keep it secret. In this case for this demo, we're just gonna save it on this text file. We have now created the two applications. 

The last step is we need to grant the appropriate permissions on the front end application. So under here under required permissions, we need to select the required permissions and add, select an API and we wanna grant the access to the API back end APP which is here. So we select that and we wanna say this application is allowed to access the API back end. We select okay and done. And that has added that delegated permission to this front end application. Something we can use the preview APP registrations for is getting the end points. So if we go over here and select API, we can see a API front end, and if we select in points, we can see all our OAUTH in points. There's a V two and a V one, currently the API management service only works with the V one end points. So you'll notice that the URL is slightly different. So in this case we wanna copy the OAUTH two authorization end point version one, and OAUTH two token end point version one. Also copying the open ID connect metadata document, would be useful later. So I've copied all these into this document here. 

The next step is we wanna configure Postman to utilize all these end points in this application. If we bring up the postman application and go to authorization, under type, select OAUTH two. And we wanna add the authorization to request status, and we need to get the access token. So get new access token. We can see here, this form is blank, we gonna go through and give this a name. We'll call this our token, the code grant, we can see the different types here. We had this mentioned earlier, we want to add a callback URL, as we're using this in Postman, the callback URL will be postman. So this is copied into this callback URL, paste that in, the authorization URL we're trying to authorize at our end point, which is the Tenant for Cyber Labs and we're wanna authorize a particular resource which happens to be our back end application. That's where we wanna actually get access to. We look at this is the fully constructed URL. So if you can see we've got the login from Microsoft, the tenant ID, OAUTH and authorize, and after that we do a question mark, resource equals and then the ID of our back end APP. So we've already constructed that. I'm gonna copy that and put it under the authorization URL. 

Next, we wanna go to the access token URL. So this comes from the OAUTH two V one token end point, copy that and let's paste that in. And we wanna use the client ID and client key from the front end application. So the front end application had this ID here, and we want the secret for that application, which is here. Paste that in, and let's try get that authentication token. Now you can see here, I'm currently logged in as mat at cyber labs, which is the administrator for this Azure ID domain and we've been given the option to authorize API front end, to access back end up, and sign it and read your profile. So this is what we talked about originally, with the OAUTH flow, and we can see in particular the permissions that does want to access. So we gonna accept that, and we can see the reply URL does not match what's configured. So when we configured the application, we didn't add the URL for Postman. So that's fair that that won't respond. So in this case, we can close this down, we can see there's the callback URL we want to allow. So let's copy that and return to our Azure ID applications, Azure ID application registrations, and we wanna look for API front end under labs. 

In the front end app we wanna change the settings and the reply URL. So we can see we enabled the cloud demo portal sign in page, but we haven't allowed Postman. So if we add the Postman URL to this, we can then save that information. Let's return to Postman and try to request token again, refresh request, and here we have a token. So we can see we've got an APP token, and the token information, what type is it bare, is a bunch of information. We also have the refresh token, so that's great. 

So to review what we've done, in the Azure ID, we've set up two API applications, a front end and a back end application, we've created a secret key on the front end application and we've delegated permission to access the back end APP. We've also captured the end points for that, and put that information into Postman, which has allowed us to now get a new token from that end point. We also approved access for the API APP to access My Data from the Cyber Labs domain.

About the Author

Matthew Quickenden is a motivated Infrastructure Consultant with over 20 years of industry experience supporting Microsoft systems and other Microsoft products and solutions. He works as a technical delivery lead managing resources, understanding and translating customer requirements and expectations into architecture, and building technical solutions. In recent years, Matthew has been focused on helping businesses consume and utilize cloud technologies with a focus on leveraging automation to rapidly deploy and manage cloud resources at scale.