This course deals with how to deploy, configure, and manage some keys aspects of Azure API management (APIM). In particular, we focus on the authentication mechanism and go into depth about how to set up OAuth 2.0, including creating the Azure AD required application registrations. To help with understanding and troubleshooting the OAuth flow, we utilize Postman to check and validate our configuration.
Next, we take a look at how we can alter API requests at various scopes using API policies. Finally, we look at how to view effective API policies that span multiple scopes and also how to trace API policies during runtime.
Learning Objectives
- Deploy Azure API Management and import an existing API
- Gain an understanding of how the configure authentication against APIM using OAuth 2.0
- Implement API policies against the imported API to alter the API request
- Use Postman to make API requests against APIM and request and use OAuth authorization tokens
- Secure the imported API by requiring a valid Azure AD token
Intended Audience
- People who want to become Azure developers and who design and build cloud solutions
- People preparing for Microsoft’s AZ-203 exam
Prerequisites
There are a lot of components that make up the configuration of the service. Here we are going to explain what we are going to work through. We have already started the creation of the Clouddemo API in our subscription. Once this completes we are going to ingest an API provided by Microsoft. This API contains a number of API operations around getting conference data. We will then create a simple API request in Postman. From there we can create the required applications in Azure AD, I've already provisioned an Azure AD called Cyber Labs for this demo. And will expect you to have your own Azure AD or if you don't have one to configure it now. In the Azure AD we will create a backend app, a front end app along with a secret key. We will also grant the front end application permission to access the backend app. We will use the Azure Portal, the Developer Portal, and Postman to query the import of Microsoft Demo APIs using these applications. We will then add API policies and look at how we can scope and understand effective policy and how to trace these policies. Finally we will make sure that our API is secure and that requests to the API require a valid access token or bearer token from our Azure AD tenant which in this case is Cyber Labs.
There are a lot of configuration items throughout this demo I record into Notepad To help you here is all the text. You may just want to copy it from the transcript and fill it out with your specific data as you go through the demos.
https://conferenceapi.azurewebsites.net?format=json
https://{name}.azure-api.net/sessions
Starter Subscription Key: 76c24a0abeb94104809b0810f74a20e5
Subscription Header: Ocp-Apim-Subscription-Key
Azure AD Tenant: mycyberlabs.onmicrosoft.com
Azure AD Tenant GUID: fc9f98a5-2d78-4a13-afa4-2ccfe88db15a
Apps
myFrontEndApp ID: 902eef25-668f-4e58-8398-f72a5da893ea
myFrontEndApp Secret Key: QZdqqvNXBxm466IvJd5ociARYInUwNyPbXJuJLP3IyE=
myBackEndApp ID: f9a45df4-6102-4f5c-a855-e2a2cbbab627
Call Back URLs
Postman Call back URL: https://www.getpostman.com/oauth2/callback
https://{name}.portal.azure-api.net/signin
https://{name}.portal.azure-api.net/docs/services/cyberlabs/console/oauth2/authorizationcode/callback
https://{name}.portal.azure-api.net/signin-aad
Endpoints
OAuth 2.0 (v1) Authorization Endpoint: https://login.microsoftonline.com/{aad-tenant}/oauth2/authorize
OAuth 2.0 (v1) Token Endpoint: https://login.microsoftonline.com/{aad-tenant}/oauth2/token
OpenID Connect meta document: https://login.microsoftonline.com/{aad-tenant}/v2.0/.well-known/openid-configuration
V1
https://login.microsoftonline.com/mycyberlabs.onmicrosoft.com/.well-known/openid-configuration
postman Oauth
https://login.microsoftonline.com/{aad-tenant}/oauth2/authorize?resource={resource ID}
https://login.microsoftonline.com/{aad-tenant}/oauth2/authorize?resource={resource ID}&response_type=code&client_id={client ID}&redirect_uri=https://{name}.portal.azure-api.net/docs/services/cyberlabs/console/oauth2/authorizationcode/callback&state={state ID}
Matthew Quickenden is a motivated Infrastructure Consultant with over 20 years of industry experience supporting Microsoft systems and other Microsoft products and solutions. He works as a technical delivery lead managing resources, understanding and translating customer requirements and expectations into architecture, and building technical solutions. In recent years, Matthew has been focused on helping businesses consume and utilize cloud technologies with a focus on leveraging automation to rapidly deploy and manage cloud resources at scale.