This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Download Microsoft Edge
More info about Internet Explorer and Microsoft Edge
In this article, you'll learn high level steps to configure your
Azure API Management
instance to protect an API, by using the
OAuth 2.0 protocol with Azure Active Directory (Azure AD)
.
For a conceptual overview of API authorization, see
Authentication and authorization to APIs in API Management
.
Prerequisites
Prior to following the steps in this article, you must have:
An API Management instance
A published API using the API Management instance
An Azure AD tenant
Overview
Follow these steps to protect an API in API Management, using OAuth 2.0 authorization with Azure AD.
Register an application (called
backend-app
in this article) in Azure AD to protect access to the API.
To access the API, users or applications will acquire and present a valid OAuth token granting access to this app with each API request.
Configure the
validate-jwt
policy in API Management to validate the OAuth token presented in each incoming API request. Valid requests can be passed to the API.
Details about OAuth authorization flows and how to generate the required OAuth tokens are beyond the scope of this article. Typically, a separate client app is used to acquire tokens from Azure AD that authorize access to the API. For links to more information, see the
Next steps
.
Register an application in Azure AD to represent the API
Using the Azure portal, protect an API with Azure AD by first registering an application that represents the API.
For details about app registration, see
Quickstart: Configure an application to expose a web API
.
In the
Azure portal
, search for and select
App registrations
.
Select
New registration
.
When the
Register an application page
appears, enter your application's registration information:
In the
Name
section, enter a meaningful application name that will be displayed to users of the app, such as
backend-app
.
In the
Supported account types
section, select an option that suits your scenario.
Leave the
Redirect URI
section empty.
Select
Register
to create the application.
On the app
Overview
page, find the
Application (client) ID
value and record it for later.
Under the
Manage
section of the side menu, select
Expose an API
and set the
Application ID URI
with the default value. If you're developing a separate client app to obtain OAuth 2.0 tokens for access to the backend-app, record this value for later.
Select the
Add a scope
button to display the
Add a scope
page:
Enter a new
Scope name
,
Admin consent display name
, and
Admin consent description
.
Make sure the
Enabled
scope state is selected.
Select the
Add scope
button to create the scope.
Repeat the previous two steps to add all scopes supported by your API.
Once the scopes are created, make a note of them for use later.
The following example policy, when added to the
<inbound>
policy section, checks the value of the audience claim in an access token obtained from Azure AD that is presented in the Authorization header. It returns an error message if the token is not valid. Configure this policy at a policy scope that's appropriate for your scenario.
In the
openid-config
URL, the
aad-tenant
is the tenant ID in Azure AD. Find this value in the Azure portal, for example, on the
Overview
page of your Azure AD resource. The example shown assumes a single-tenant Azure AD app and a v2 configuration endpoint.
The value of the
claim
is the client ID of the backend-app you registered in Azure AD.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{aad-tenant}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{audience-value - (ex:api://guid)}</audience>
</audiences>
<issuers>
<issuer>{issuer-value - (ex: https://sts.windows.net/{tenant id}/)}</issuer>
</issuers>
<required-claims>
<claim name="aud">
<value>{backend-app-client-id}</value>
</claim>
</required-claims>
</validate-jwt>
The preceding openid-config URL corresponds to the v2 endpoint. For the v1 openid-config endpoint, use https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration.
For information on how to configure policies, see Set or edit policies. Refer to the validate-jwt reference for more customization on JWT validations. To validate a JWT that was provided by the Azure Active Directory service, API Management also provides the validate-azure-ad-token policy.
Authorization workflow
A user or application acquires a token from Azure AD with permissions that grant access to the backend-app.
The token is added in the Authorization header of API requests to API Management.
API Management validates the token by using the validate-jwt policy.
If a request doesn't have a valid token, API Management blocks it.
If a request is accompanied by a valid token, the gateway can forward the request to the API.
Next steps
To learn more about how to build an application and implement OAuth 2.0, see Azure AD code samples.
For an end-to-end example of configuring OAuth 2.0 user authorization in the API Management developer portal, see How to authorize test console of developer portal by configuring OAuth 2.0 user authorization.
Learn more about Azure AD and OAuth2.0.
For other ways to secure your back-end service, see Mutual certificate authentication.
