In this article, I will demonstrate how to use
Azure API Management (APIM) features to secure an API that lacks authentication or authorization.
This article is the first part of a two-part series. Below are the different parts of this article series.
Legacy APIs often do not have built-in security mechanisms, and updating them may be either impractical or too costly. In such cases, securing them through Azure API Management provides an effective solution.
The solution consist of four steps:
- Configuration of Entra ID App Registrations
- Configuration of APIM OAuth2 service
- Configuration of OAuth 2 settings within the API in APIM
- Test using the Test console
1.Configuration of Entra ID App Registrations
App registrations in Microsoft Entra ID are a way to register applications so they can integrate with Microsoft's identity platform. This process establishes a trust relationship between the application and the identity provider, enabling secure authentication and authorization.
We need to create two App Registrations in Azure Active Directory:
- One for the backend API that we are securing.
- Another for the client that will call our API, which could be the APIM Developer Portal or Postman.
In the next article, I will provide a detailed walkthrough on how to connect the client App Registration with Postman for authentication and testing.
Here is the process I followed:
Use default options to create App registrations. Keep the redirect URL blank
Next, navigate to the backend app registration and add a scope under the Expose an API section. This defines the permissions that clients must request to access the API securely.
Next, navigate to the client app registration and assign the previously created scope under the API permissions section.
After adding the permission, grant admin consent to ensure the client can request and use the assigned scope when calling the API.
Next, within the client app registration, navigate to the Certificates & secrets section and create a client secret. Once generated, be sure to copy and securely store the secret, as it won’t be visible again. Using Azure Key Vault is a recommended approach for securely storing and managing the client secret.
We need to configure the callback URL in our client app registration. But first, we must generate this URL within the OAuth 2.0 service in APIM. Once generated, this URL should be added to the Redirect URIs section in the client app registration. We will discuss that within the next section.
2.Configuration of APIM OAuth2 service
In our API Management instance, we need to create an OAuth 2.0 service, which will interact with our App Registrations to retrieve an access token. This service acts as the bridge between API Management and Azure Active Directory, enabling secure authentication and authorization for API requests.
Navigate to our API Management instance and select OAuth 2.0 + OpenID Connect section under the developer portal.
Following is the format of configuration parameters.
https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/authorize
https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token
You can get these values from your client app registration
Copy the Authorization Code Grant flow URL generated in the OAuth2 service within API Management, and paste it into the Redirect URI section of the client app registration . This ensures that after successful authentication, Azure AD can redirect the authorization response back to API Management
APIM OAuth 2.0 service Redirect URL is shown below
Authentication section in client app registration is shown below
3.Configuration of OAuth 2 settings within the API in APIM
Go to the Settings section of your API within API Management (APIM) and select the OAuth 2.0 service you previously created. This associates the API with the authentication flow.
This completes the basic OAuth 2.0 configuration. However, to enhance security, we can take an additional step by adding token validation in our API operation using an APIM policy.
Navigate to the Inbound processing section and open policy code editor
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/<YOURTENANTID>/v2.0/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>319aa8ca-f607-45c3-ac83-e3a510666883</value>
</claim>
</required-claims>
</validate-jwt>
</inbound>
4.Test using the Test console
You can now test the OAuth 2.0 flow within the Test Console or the Developer Portal. In the Test Console, add the Authorization header and provide a valid access token to simulate an authenticated API request.
