This article is intended to summarize a very common scenario where we would like to authenticate an API using OAuth2.0 authentication using azure AD and Azure API Management. There exist a simple and easy way to do the same. Here’re the steps,
We need to make two applications inside Azure Active Directory. In this case I am naming these as EchoBackend (your Backend API which is a web application) and Testclientapp(The Client API which is a native app). I am mentioning the steps assuming you are familiar in making applications in azure AD and with the Publisher and Developer portal of azure APIM.
- Make EchoBackend application with the help of following information: [Type: Web Application]
- Make Testclientapp application with following parameters: [Type: Native App]
- Name: Testclientapp
- Client ID: yyyyyyyy-5659-4cf6-87bd-ad8d176521d2 (assuming)
- redirectURI: https://kalpitsinghtest.portal.azure-api.net/docs/services/57d0xxxxxxxxx208bce4386c/console/oauth2/authorizationcode/callback (can be taken from the publisher portal with respect to your API or for time being it can be anything)
- Add Permission: 1- Access echo backend 2-Check the last permission.
- Change the security to OAuth2.0 in developer portal:
- Make Authorization end point url: https://login.microsoftonline.com/374bxxxxxxx-4b92-a9c9-8bea4b16f35a/oauth2/authorize
- Add one Additional body parameters named resource with value web app Uri- resource : https://kalpitsinghtest.azure-api.net/
- Client authentication method: basic
- Clinet ID: yyyyyyyy-5659-4cf6-87bd-ad8d176521d2
- Authorization endpoint url and Token endpoint URL: as per AD tenant.
- Use the redirect_uri as testclientapp.
Please refer following article documenting more details: https://azure.microsoft.com/en-in/documentation/articles/api-management-howto-protect-backend-with-aad/#configure-an-api-management-oauth-20-authorization-server
Hope this simplifies the understanding.