Authorisation via Azure APIM - azure

We have implemented authentication via OAuth 2 in Developer Portal of API Management and AAD within an internal network.
How should I go about implementing authorisation? I cannot find any doc from MS doc site :(.
https://tointegrationandbeyond.com/blogs/index.php/2020/06/13/authorization-with-azure-api-management/
https://www.cloudfronts.com/securing-an-api-using-oauth-2-0-in-azure-api-management-part-3-oauth-2-0-server-setup/

The API Management is a proxy to the backend APIs, it’s a good practice to implement security mechanism to provide an extra layer of security to avoid unauthorized access to APIs.
To use OAuth 2.0 authorization with Azure AD:
We need to have
• An API Management instance
• An API being published that uses the API Management instance
• An Azure AD tenant
And then we need to
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please check this reference docs for more clarification Protect API's using OAuth 2.0 in APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

Related

Azure AD B2C - Using access token returned from sign in flow to secure the rest web API

I am using Azure B2C in my react SPA to sign in the user with external identity providers e.g. Google and Facebook. I have some .net core web API that needs to be called by signed-in users only. I have followed Azure documents for my scenario. As per the docs, I need to register another AD B2C application for web API security and my client app needs to acquire the token with the scope defined in the server-side AD app and pass that token while calling the web API.
Why can't I use the same access token received from azure AD B2C as part of the sign-in flow to pass it to my web API and validate it on the server side to secure the Web API? In that case, I don't need to create another server-side AD application for securing the API.
You can, but it’s simply against the protocol spec. Each client needs to be registered and have a unique client Id/AppId.
Plus if you do it with one App Registration, your logs would never differentiate access to your front end vs access to your api.

What are some ways to securing web api with authorization in Azure

I am developing an Web API .net core and hosting it in Azure as we are migrating to Azure. To secure the web API and for Authorization (Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory). But I have some questions as following below:
Question 1. if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
Questions 2 Can we protect an Api that is hosting in OAuth without Active Directory.
Question 3. What is securing an api with Microsoft Identity vs OAuth. It is confusing to me why should I not use Microsoft identity over OAuth for Authorization. Is it something new that came out from Microsoft?
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api
Thanks
if I protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory then if we want to expose the Api to the third party outside of the organization then would it work?
If your protecting your web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory, you cannot expose your API to any 3rd party application or an organization so easily.
For that purpose you will have to
federate that application/SAAS with azure AD for users in that platform to be able to access the API.
You have to give permission/privileges to the federated users of that platform to be able to access the web API and its scope.
Can we protect an Api that is hosting in OAuth without Active Directory?
No, we cannot protect an API hosting in OAuth without Active Directory.
Because, OAuth authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs.
It's used to perform authentication and authorization in the majority of app types, including web apps and natively installed apps.
What is securing an api with Microsoft Identity vs OAuth?
A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault.

OAuth2 Authentication at Azure API Management

I am struggling to redirect to Azure AD endpoint (MS Login page) for authentication from API Management.
I tried OAuth2/Openidconnect in APIM but not succeeded.
What is the use of OAuth2 in APIM? Is it only for testing from Developer Portal?
It ensure that only valid users have access, and they can only access resources to which they're entitled.
In order to use Azure API Management's interactive Developer Console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.
Follow the doc for more info. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2

How do I secure Azure API Management APIs using Azure B2C

I’m using web applications secured with Azure Active Directory B2C. Those applications call services using JavaScript hosted by Azure API Management.
I was surprised to read that I can only secure front end APIs using App Keys or client certificate.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-create-subscriptions
How can I secure those applications using an Oauth token?
You can configure B2C as an identity provider in Azure API Manager:
How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management
This article explains how to authorize access to the developers portal but think about the developers portal as "ANY API"
You can validate the JWT issued by Azure AD B2C using an API Management policy:
API Management access restriction policies - Validate JWT
Take into account this detailed document that published a few months ago :
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

Azure Active Directory Verify Access Token in Web Api outside of Azure

If my Web Api application is hosted outside Azure, can I use access tokens issued by Azure AD and verify the tokens in the Web Api itself or against Azure AD?
All the examples available are referring to the Web Api applications hosted on Azure. But there must be a way to do this with Web Api outside Azure.
Any reference to solution would help.
Azure active directory support the OAuth 2.0 to authorize the third-party apps. It doesn’t matter where the web API or apps hosted. Below figure is the stand OAuth flow from RFC 6749 – The OAuth 2.0 Authorization Framework.
Technically, the web API only need to verity the token from the endpoint it trust. I also explained the detail about verifying the access token from this thread.
And if you want to know more about the scenarios developing with Azure AD, you can also take a look this article.

Resources