Objective
In this article, we learn how you can protect your APIs using OAuth2.0 Authorization with the Azure AD Client Credentials flow. When APIs on API Management are consumed by other application(End User), we need to have service to service communication by configuring the OAuth 2.0 authorization code flow to protect APIs on API Management.
Prerequisites
a. An Azure API Management instance, if you do not have and you are new to it, read my previous articles to understand and implement.
b. Admin access to the Azure AD tenant
We will need two applications to be registered in the Azure active directive and few configuration settings to create the client credential flow to protect the API.
Let’s begin with all the steps one by one.
Step 1
Login to the azure portal, go to all service and search for Azure Active Directive and click on it.
![]()
Now in Azure Active Directory, we need to register two apps - ResourceApp and ClientApp.
Step 2
Go to App registrations-> click on new registration.
![]()
Step 3
You will see below screen to be filled, so we will give our first app name ResourceApp and rest of the fields leave as it is. Click on the Register button.
![]()
After creating the ResourceApp, just copy the Application(Client) Id and Directory(Tenant) Id and keep them somewhere to use later. Tenant Id is directory level, so it will be same for all apps registered into the Azure Active Directory.
![]()
Step 4
Now go to the Expose API-> click on set to set the App URI-> there will be a popup, copy the app URI, put it somewhere and click on Save button.
![]()
![]()
Step 5
Now go to App roles-> click on create roles-> now a popup will come, provide the app roles
There are few inputs like Display name, allowed member Type, Value, Description and enable the app role. So, fill according to as I filled(highlighted)-> Click on Apply button.
![]()
![]()
Now you can see the role is added to the app.
![]()
Now we will create another app named ClientApp same as we have created the ResourceApp but the configurations will be different for ClientApp.
Step 6
Go to App registrations-> click on new registration-> will provide our second app name ClientApp and rest of the fields leave as it is. Click on the Register button.
![]()
After creating the ClientApp, just copy the Application(Client) Id and keep it somewhere as it will use later.
![]()
Step 7
Go to Certificates and Secrets-> Click on New client secret-> A popup will show, provide description and select the expiration time as I have selected 3 months-> Click on Add button.
![]()
![]()
Copy the Secret value and keep it somewhere as it will also be used later.
![]()
Step 8
Go to the API permission-> Click on Add a permission-> A popup will show with three tabs, select the last tab My APIs-> you will see the ResourceApp which we have created in the first step-> select this ResourceApp, A popup will appear to check the permission(If you noticed, it is the role APIAccess which we have added into ResouceApp)-> Click on checkbox-> Click on Add permission button.
![]()
![]()
![]()
Step 9
The access we have added is not granted by default, so for granting the access click on the ‘Grant admin consent for Default Directory’-> A popup will show to yes or no, click on Yes button.
![]()
Now you can see in below screenshot, status is showing Granted for default directory.
![]()
Step 10
Go to the Overview of ClientApp-> Click on Endpoints-> collect the OAuth 2.0 token endpoint(v2) and keep it in notepad.
![]()
Step 11
Now we will generate the token by calling the endpoint which we have collected in above step. Before this, we will conclude what we required as I told you to keep keys somewhere to further use.
AD Tenant Id
Application(Client) Id of ResourceApp
Application(Client) Id of ClientApp
Secret of ClientApp
So here is payload details to generate token
Endpoint:https://login.microsoftonline.com/{AD Tenant ID}/oauth2/v2.0/token
Headers:
Content-Type: application/x-www-form-urlencoded
Payload:
client_id={put your Application(Client) Id of ClientApp
}&client_secret={put your Secret of ClientApp}
&scope={put your Application(Client) Id of ResourceApp}/.default
&grant_type=client_credentials
After arranging all above in postman, make a request, you get a token in response.
![]()
Step 12
Now you can decode your token to go on jwt.ms site(This step is optional). Here you can see all the details which token contains; just verify the role we had added.
![]()
Now we will add policy and test our API under API Management that we have created in the last couple of articles(I have mentioned the article URL in the beginning)
Step 13
Go to the API Management-> Click on APIs-> Click on MyAPI->Click on All Operations-> Click on Policy editing symbol </> under inbound processing.
![]()
Step 14
Put below policy inside the <inbound> policy-> click on Save button.
Note: Put the tenant id and client Id of ResourceApp in the below policy before clicking on Save button.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{Put here-tenant Id}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="any">
<value>{Put here resourceAPI Client ID}</value>
</claim>
</required-claims>
</validate-jwt>
![]()
Step 15
Now let’s test our API’s NumberToWord operation, click on NumberToWord-> Test, then you will get below screen to pass headers and payload. So below are our backend details
Header:
Content-Type: text/xml;charset=utf-8
Authorization: Bearer {Access Token which we have generated}
Payload:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<NumberToWords xmlns="http://www.dataaccess.com/webservicesserver/">
<ubiNum>500</ubiNum>
</NumberToWords>
</soap:Body>
</soap:Envelope>
After putting the header and payload click on send button.
![]()
See, you will get the expected response.
![]()
Step 16
Just to verify that client flow is working properly, you can give wrong token as I have added some additional alphabets in between of token.
See, you will get 401 Unauthorized and the message “Unauthorized. Access token is missing or invalid.” That we have set in the policy.
![]()
Step 17
If you want to test API from postman or you need to consume this into any application then here you need to get some details while calling the API.
Endpoint: This is your gateway url https://az-learningapim.azure-api.net/.
Headers:
Content-Type: text/xml;charset=utf-8
Ocp-Apim-Subscription-Key: dd0bd20*********8***fc7da0
Authorization: Bearer {Access Token which we have generated}
Payload:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<NumberToWords xmlns="http://www.dataaccess.com/webservicesserver/">
<ubiNum>500</ubiNum>
</NumberToWords>
</soap:Body>
</soap:Envelope>
Put the above details into postman app and send the request. You will get as expected response with 200 Ok status.
![]()
Step 18
Make the changes in header and validate the API again, it will give you 401 Unauthorized.
![]()
Hope, this article will help you to secure your APIs of API management.
Thanks