Saturday, September 7, 2024

Configuring Postman to Retrieve an OAuth 2.0 Token from Entra ID for Calling an API via APIM

This article is the second part of a two-part series. Below are the different parts of this article series.


In this article, I will guide you through configuring your Postman client to retrieve an access token from Entra ID, enabling you to call an API exposed via APIM.

For better organization, I have grouped related APIs into a collection.




















Navigate to Authorization section and provide following details


































































You can obtain most of the required details from your client App Registration. These parameters are readily available in the Endpoints view of your client application. We covered how to create and configure a client App Registration in our previous blog post.


















Following are some important parameters

#Auth URL
OAuth 2.0 authorization endpoint (v2) in the Endpoints view of your client app registration

#Access Token URL
OAuth 2.0 token endpoint (v2) in the Endpoints view of your client app registration

#Client ID
Client ID of your client app registration

#Client Secret
#Client ID
Client secret you generated within your client app registration

#Callback URL
Redirect URL from the Authentication section (Shown in below diagram)





That completes the configuration. You can now click the Get New Access Token button to interactively retrieve an access token.






























Next, ensure that your API is configured to retrieve the token from the parent as shown below.


















Then, you can successfully retrieve response with valid access token









Posted by at No comments:
Labels: , , ,

Wednesday, August 21, 2024

Using Azure's Diagnose & Solve Problems Feature to Troubleshoot Cloud Issues

You might encounter errors in your Azure cloud workloads and take various measures to resolve them. However, Azure provides built-in assistance through the Diagnose & resolve problems feature.

The Diagnose & solve problems feature in Azure is an intelligent troubleshooting tool designed to help users identify and resolve issues.

Here is an instance where I used this feature to troubleshoot a connectivity issue with an Azure Storage Account firewall.

I enabled the firewall on my storage account to restrict access to a specific public IP address.









And I have whitelisted my public IP address as shown below







Despite configuring it as mentioned above, I still encountered the following error when I tried to access the container. This is when I used the Diagnose & solve problems feature.










I selected Firewalls & Virtual Networks section








Next I selected Connectivity issues after enabling storage firewall





























Here is the final response I received, which revealed that I had whitelisted the wrong IP address.












This allowed me to resolve the issue very quickly

Posted by at No comments:
Labels: ,

Tuesday, August 13, 2024

Securing Backend API Using OAuth2 with Entra ID and Azure API Management

In this article, I will demonstrate how to use Azure API Management (APIM) features to secure an API that lacks authentication or authorization. 

This article is the first part of a two-part series. Below are the different parts of this article series.

Legacy APIs often do not have built-in security mechanisms, and updating them may be either impractical or too costly. In such cases, securing them through Azure API Management provides an effective solution.

The solution consist of four steps:
  1. Configuration of Entra ID App Registrations
  2. Configuration of APIM OAuth2 service
  3. Configuration of OAuth 2 settings within the API in APIM
  4. Test using the Test console
1.Configuration of Entra ID App Registrations

App registrations in Microsoft Entra ID are a way to register applications so they can integrate with Microsoft's identity platform. This process establishes a trust relationship between the application and the identity provider, enabling secure authentication and authorization.

We need to create two App Registrations in Azure Active Directory:
  • One for the backend API that we are securing.
  • Another for the client that will call our API, which could be the APIM Developer Portal or Postman.
In the next article, I will provide a detailed walkthrough on how to connect the client App Registration with Postman for authentication and testing.

Here is the process I followed:

Use default options to create App registrations. Keep the redirect URL blank


































Next, navigate to the backend app registration  and add a scope under the Expose an API section. This defines the permissions that clients must request to access the API securely.




















Next, navigate to the client app registration and assign the previously created scope under the API permissions section. 












After adding the permission, grant admin consent to ensure the client can request and use the assigned scope when calling the API.




















Next, within the client app registration, navigate to the Certificates & secrets section and create a client secret. Once generated, be sure to copy and securely store the secret, as it won’t be visible again. Using Azure Key Vault is a recommended approach for securely storing and managing the client secret.



















We need to configure the callback URL in our client app registration. But first, we must generate this URL within the OAuth 2.0 service in APIM. Once generated, this URL should be added to the Redirect URIs section in the client app registration. We will discuss that within the next section.

2.Configuration of APIM OAuth2 service

In our API Management instance, we need to create an OAuth 2.0 service, which will interact with our App Registrations to retrieve an access token. This service acts as the bridge between API Management and Azure Active Directory, enabling secure authentication and authorization for API requests.

Navigate to our API Management instance and select OAuth 2.0 + OpenID Connect section under the developer portal.














































Following is the format of configuration parameters.

#Authorization endpoint URL
https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/authorize

#Token endpoint URL
https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token

You can get these values from your client app registration










Copy the Authorization Code Grant flow URL generated in the OAuth2 service within API Management, and paste it into the Redirect URI section of the client app registration . This ensures that after successful authentication, Azure AD can redirect the authorization response back to API Management

APIM OAuth 2.0 service Redirect URL is shown below











Authentication section in client app registration is shown below


















3.Configuration of OAuth 2 settings within the API in APIM

Go to the Settings section of your API within API Management (APIM) and select the OAuth 2.0 service you previously created. This associates the API with the authentication flow.





















This completes the basic OAuth 2.0 configuration. However, to enhance security, we can take an additional step by adding token validation in our API operation using an APIM policy.

Navigate to the Inbound processing section and open policy code editor
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
            <openid-config url="https://login.microsoftonline.com/<YOURTENANTID>/v2.0/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>319aa8ca-f607-45c3-ac83-e3a510666883</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </inbound>

4.Test using the Test console

You can now test the OAuth 2.0 flow within the Test Console or the Developer Portal. In the Test Console, add the Authorization header and provide a valid access token to simulate an authenticated API request.
















Posted by at No comments:
Labels: , , ,

Sunday, August 4, 2024

Presentation - API Security: Essential Practices for Developers

Recently I did a presentation for a local community on how to implement secure APIs. Following is the presentation I conducted





Posted by at No comments:
Labels: , ,

Tuesday, July 30, 2024

Mentorship - Mentoring Circle for Microsoft Data & AI Bootcamp

I had the privilege of participating in the mentorship circle for the Microsoft Data & AI Bootcamp on July 12th. The students were incredibly enthusiastic and eager to learn new technologies















Posted by at No comments:
Labels: , ,

Monday, June 10, 2024

Presentation - Securely expose backend services with Azure API Management

Recently I did a session on Azure API Management services for Microsoft Zero to Hero community. Azure API Management Azure API Management allows you to securely expose backend services to deliver business value.

Following is the event


















Following is the presentation I did


Following is the recording of that session

Posted by at 1 comment:
Labels: , , ,

Sunday, April 21, 2024

Presentation - Implementing Zero Trust strategy with Azure

I recently conducted a session on addressing modern security challenges and implementing the zero-trust model at Global Azure 2024, hosted by Microsoft in Perth.

It was an enlightening event with a wealth of technical content presented.

If you're new to zero trust with Microsoft solutions, here are some great starting points to consider

Following is the presentation I did at the event.


Following are few snaps from the event





Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)