I have an API Management resource on Azure which uses an API running as a Kubernetes cluster.
I want to have OAuth2.0 authentication for clients/applications which connect to the API management URL. I do not want any user authentication, but only want clients which want to use the URL to send a client ID and client Secret.
How do I do this?
I could not find anything related to this in the documentation.
If you dont want user context to be involved, You must prepare client credential flow from Oauth2.0 which uses client id and client secret.
I am explaining using Azure AD.
1) Create Application in Azure AD and get client id and secret
(https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/)
2) Call token end point of Azure AD to get secured token
(https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
3) Pass this token to APIM using authorize or from any header
4) Validate JWT and check issuer,audience and application level scopes
(https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)
No sure what exactly are you asking!
But here are two places where you will find a solution to your question:
How to secure your backend apis: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
API Management access restriction policies: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies. More specific here check the Validate JWT (https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)
Related
I have two projects in a solution. One is .net core 3.0 based Web API. Next is Angular 9 SPA. I've been asked to setup Azure AD based authentication. So I enabled that in API.
But I am seriously confused where it actually requires to enable? Client App or API? or Both?
Since your client needs to call the API, it needs to authenticate to it.
And since the API requires AAD tokens, your client will need to acquire one.
So you need to implement Azure AD authentication in your client application and in the API.
The client's job is to authenticate the user with Azure AD and acquire an access token for the API.
It then adds that token as a header on each request:
Authorization: Bearer token-goes-here
The API then validates that token on each request.
I'm enabling OAuth2 for my Azure API Management instance. I click Add to add OAuth2, and it's asking me to enter name, and description of authorization service, so my thinking is I am creating an authorization service here.
Why is it asking me to provide client id, client secret, resource owner user, and resource owner password. I understand the concepts of OAuth2 and how these are used, but I am setting up API Management to handle OAuth2 authorization, so the job of the Authorization server will be to validate authorization codes and client secrets. The clients will have their own Client IDs and Client Secrets. Resource Owner should be an Azure AD identity with it's own user name and password.
Why, when I am setting up the authorization server for API Management is it asking me to enter Client ID and Client Secret as well as Resource Owner credentials. It doesn't make sense to me. Can someone explain?
So....what gives? Am I in the wrong screen because API Management
APIM can't be used as OAuth server. The only reason at the moment to configure OAuth/OIDC server in APIM is to make sure it's included into exported specification of an API and that developer portal has a convenient UI to let users obtain tokens, nothing else. That's why it's expected to provide client id and secret, because APIM is effectively a client.
Step 1 : Choose an OAuth provider such as Auth0
Step 2 : Configure various OAuth scenarios as API's in your OAuth provider (API is the term Auth0 uses, other providers might refer to them with other terms)
Step 3 : Create APIM OAuth 2 records, filling in the fields in your question (client id, client secret). Create a record for each API you have configured in your OAuth provider (in Step 2).
Step 4 : In the APIM edit the details of the various API's choosing the appropriate OAuth record you setup in Step 3. Here you are choosing the OAuth scenario for each of your APIs. Many APIs may use the same scenario, but obviously an individual APIM API entry can only link to 1 OAuth scenario
Thus you have configured various APIs in the APIM against various OAuth scenarios. Usually the details behind the OAuth setup are invisible to the API and are so setup and exposed only by their ClientID, secret and urls for token and authorise.
Auth0 has a good tutorial for seting up Azure APIM: HERE
apim should have it's own identity. Have you created an app registration for the instance? The credentials from the app reg on aad used will identify apim and allow validation of the token.
I have an API hosted in Azure (Web App). This API can't be accessed directory by every client (IP Restriction), and I am willing to use APIM to protect it.
Users will call the APIM-Gateway and the gateway should responds appropriately.
One big problem is authentication: I am protecting this API (The Backend API and not the APIM-Gateway endpoint) with AAD.
So users should authenticate themselves against AAD and access the resources with no direct access to the backend.
Is it possible to implement such a scenario?
If you're fine with users authenticating against AAD then it's perfectly supported. With that model APIM may be used to just pass-through user requests to backend or you could use validate-jwt policy somewhere in request processing pipeline to validate users' tokens and authorize invoked actions.
APIM's authorization servers feature may be used to document that your APIs require AAD token from certain server. If this is done test console on developer portal will show controls to simplify getting token to make test calls to your APIs.
Normally APIM requires clients to pass subscription keys to authenticate and authorize calls. But if you're relying on AAD that may be not something you want - then you can use Open product to make your calls anonymous to APIM. validate-jwt policy can still be used to require certain token to be present with request.
There are various ways you can ensure that your backend is reachable only via APIM:
Shared secret - set a special header in APIM policy and check it's value on backend.
Client certificate authentication - APIM may be set up to attach client certificate to each request to backend that you will check at backend side to make sure that this is APIM making a call.
VNET - APIM can join your VNET, while backend may be setup to accept calls only within VNET making it possible to be called only through APIM.
I have used below approach in my recent project and used jwt validation to validate oauth2 token in policy
Follow Microsoft document link https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.
Here is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization. (optional)
Add the validate-jwt policy to validate the OAuth token for every incoming request.
We are providing a web api that is protected with Azure OAuth 2.0.
Our affilates will use this api and they each will get a clientid/client.
1) In the linked scenario. Why would there be need for a refresh-token?
if the token expires their (web)application would just send for a new token using their clientid and sclient secret?
2)
We have 100+ affiliates. Almost all of them will have same permissons, but we still want to give everyone a unique clientid/secret. How do we practically do this? Is manually in azure web portal the only way?
Azure Oauth - how to change token expiration time?
1) In the linked scenario. Why would there be need for a refresh-token? if the token expires their (web)application would just send for a new token using their clientid and sclient secret?
Refresh tokens are used if the client makes a delegated call to your API.
In this case the token will contain the currently logged in user's info as well.
The client can use the refresh token to get a new access token for your API for a specific user when the access token expires (instead of redirecting them to login again to get an authorization code etc.)
If they call your API purely using client credentials (id + secret) then there will not be a refresh token.
2) We have 100+ affiliates. Almost all of them will have same permissons, but we still want to give everyone a unique clientid/secret. How do we practically do this? Is manually in azure web portal the only way?
To get a unique client id for each affiliate, you must create a new app registration for each of them.
You can automate this process by creating the Application and Service Principal via one of the Graph APIs (Azure AD Graph or MS Graph):
AAD Graph: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity
MS Graph: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_applications
Note the MS Graph endpoints for applications are still in beta and not recommended for production use.
This is one of the very few cases where Azure AD Graph API is the supported case.
You will need to create an Application for each affiliate (remember to create the passwordCredential (secret) as well),
then create a Service Principal based on the Application,
and then grant the Service Principal rights to your API.
If these are application permissions, you will have to create appRoleAssignments.
I have an API APP deployed in Azure & I put on Azure Active Directory Authentication. I need that API APP should be accessible outside.(The people who are not using Azure)
I have added that API APP into Api Management Service to use policy & authorize API.
Is any way to do that? Can I use Client Id & client secret to authenticate API APP
Yes, you can use send-request (https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SendRequest) policy as a part of request processing to call into AAD with client id and secret and obtain authentication token to attach to ongoing request. Works best with implicit oauth flow since it requires only single HTTP call.