OAuth2 Authentication at Azure API Management - azure

I am struggling to redirect to Azure AD endpoint (MS Login page) for authentication from API Management.
I tried OAuth2/Openidconnect in APIM but not succeeded.
What is the use of OAuth2 in APIM? Is it only for testing from Developer Portal?

It ensure that only valid users have access, and they can only access resources to which they're entitled.
In order to use Azure API Management's interactive Developer Console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.
Follow the doc for more info. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2

Related

Call azure DevOps API from custom azure webapp api without user behalf

I have an Azure WebApp which needs to call the Azure DevOps API to trigger a build pipeline.
The only problem I have is to find out which is the proper way to authenticate from my web api against azure devops API.
Should I use a service principal account for that, or Managed Identity?
Do I have to create a service account in Azure AD, give him rights on Azure DevOps ?
I only have a route which then calls the DevOps API, so I need to authenticate at the moment the route was called with a Principal from the WebApp.
Iam a little bit lost how to do it the right way, because there is so much information about the auth topic.
Currently I use my personal account with PAT from Azure KeyVault, which is only a temporary solution.
Thanks & Regards
If you check this Choose the right authentication mechanism document, you will find several types of authentication mechanism from your Web App API against azure DevOps API.
But it's mostly recommended to use Azure DevOps Services Client Libraries for authentication and accessing Azure DevOps Services resources. You can authenticate your web app users for REST API access, so your app doesn't continue to ask for usernames and passwords.
Azure DevOps Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your application. When you call Azure DevOps Services APIs for that user, use that user's access token. Access tokens expire, so refresh the access token if it's expired.
I would suggest to read this Authorize access to REST APIs with OAuth 2.0 document for the more explanation and detailed approach to achieve the result.
In case, if any required functionality is missing from the client libraries, MSAL is an alternative authentication mechanism to use with our REST APIs.

Authorisation via Azure APIM

We have implemented authentication via OAuth 2 in Developer Portal of API Management and AAD within an internal network.
How should I go about implementing authorisation? I cannot find any doc from MS doc site :(.
https://tointegrationandbeyond.com/blogs/index.php/2020/06/13/authorization-with-azure-api-management/
https://www.cloudfronts.com/securing-an-api-using-oauth-2-0-in-azure-api-management-part-3-oauth-2-0-server-setup/
The API Management is a proxy to the backend APIs, it’s a good practice to implement security mechanism to provide an extra layer of security to avoid unauthorized access to APIs.
To use OAuth 2.0 authorization with Azure AD:
We need to have
• An API Management instance
• An API being published that uses the API Management instance
• An Azure AD tenant
And then we need to
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please check this reference docs for more clarification Protect API's using OAuth 2.0 in APIM
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

In which scenario I should use Authentication link from Web App Azure Portal and in which scenario I have to use MSAL Library

I want to Authenticate user using Azure AD.
I had application registration in Azure AD and everything is set up ,I am using Authentication link from Azure Portal Web app settings section.
According to Microsoft dcoumentation MSAL library is recommended
when to use MSAL library and when to use Azure Portal Authentication
Azure Portal => Settings=> Authentication.
Authentication link from Web App Azure Portal is Easy Auth.
It does not conflict with whether you use MSAL.
You can take a look at Why use the built-in authentication?.
An important reason is:
The built-in authentication feature for App Service and Azure
Functions can save you time and effort by providing out-of-the-box
authentication with federated identity providers, allowing you to
focus on the rest of your application.
When you enable Easy Auth, Azure will create an app registration which represents your web app. Any attempts to access your web app will require sign-in with your Azure AD account.
You can also use the app registration Azure created for you (or create your own app registration without enabling Easy Auth) to configure with MSAL. MSAL is a mature framework and you can find the following benefits here.
Easy Auth uses Implicit Flow by default to sign in. If your web app requires other auth flows (eg. auth code flow, client credentials flow), using MSAL would be a better choice.

How do I secure Azure API Management APIs using Azure B2C

I’m using web applications secured with Azure Active Directory B2C. Those applications call services using JavaScript hosted by Azure API Management.
I was surprised to read that I can only secure front end APIs using App Keys or client certificate.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-create-subscriptions
How can I secure those applications using an Oauth token?
You can configure B2C as an identity provider in Azure API Manager:
How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management
This article explains how to authorize access to the developers portal but think about the developers portal as "ANY API"
You can validate the JWT issued by Azure AD B2C using an API Management policy:
API Management access restriction policies - Validate JWT
Take into account this detailed document that published a few months ago :
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

Using Azure AD B2C and MSAL to authenticate a windows service

Is it possible to use MSAL to allow a windows service to access a web api protected by Azure AD B2C? If not, what is the best way to allow a autonomous service to access an API protected by B2C.
This scenario should be addressed with the Client Credentials OAuth flow.
This is possible in Azure AD B2C, however, the experience isn't ideal.
To do achieve this, use "App Registration" blade in the Azure Portal to register a apps that define application permissions and then register apps that use client credentials to request these. You would effectively be using the same mechanism that you use in regular Azure AD, see Azure AD's "Daemon or Server Application to Web API" documentation
Important note: Make sure you are not using the Azure AD B2C blades for this.
You can support the ask for a first class experience by voting for this entry in the Azure AD B2C feedback forum: Support OAuth 2.0 Client Credential Flow

Resources