API Management | Protect Your Backend API with Azure AD using APIM

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to be a learner and yet another video on api management today in today's video we are going to discuss how to protect your backend api with the help of azure active directory authentication and authorization before i begin the discussion it's my humble request to subscribe to my channel by clicking on the subscribe button and click on the bell notification so that you do not miss any notification for the videos which i will be uploading in future without getting further delay let's begin the discussion let me show you the the configuration simulation from this presentation so here we would have or the system where end user is going to connect or api via the api management so user will call the api for the api management by sending a request and the request will be submitted to api management in the api management we have the inbound policy configured so that kwt inbound policy will make sure it will validate your request and it will make sure that your request contains the appropriate jwt token then it will pass the request to the backend server if not then it will show through an error which is four or one error unauthorized error now to validate the active directory token api management sends a request check validates the data tokens against the active directory for your backend server and once the request will be sent back to the backend api the entire configuration has been done at the api management layer we have not done any changes in the source code at the backend api let's move to the developer portal and see how we configure this particular setup i have the api management already configured from our previous demonstration so this is my api management before we do the configuration make sure you have the developer portal already published for your api management if you haven't you can go to the developer portal overview section click on the publish button here that will publish the developer portal if you are trying to publish the developer portal for the very first time click here on the developer portal button that will open the developer portal on the edit mod and you can publish the developer portal in the edit mode from this particular operations button for this first of all i need to have a two up app registration a client appreciation and a service server app registration let's go to the active directory and configure the client and server app registration i'll go to the appreciation click the new app registration and call the backend app which is my back-end app registration you can leave this as a default option select the redirect option as in web make sure it is selected as web keep this as an empty for now click on register i'll copy this client id which will next go to the expose api add an scope your app application id will be added by default save as is add the scope as a file dot read i'll just give anything read all your files something like that any description basically it will automatically save basically now i'll create a client app registration or the front-end app registration i'll call this as an client app you can give any name this time i am going to select this account in organization active directory for the multi-ternet select web as is and i am going to leave this as an empty well we are going to set up this later on click on register this time we will go to the api permission add permission select my apis select the backend app select the permission which we have set up add permissions and make sure you are granting the admin consent that's it i'll copy this client registration which is my client one last thing click on the client certificates certificate and secret add new client certificate give it a name and then copy the secret value now let's go to the api management so i'm into the api management i'll go to the developer portal or open id connect settings click on add give it any name i'll say aad oauth 2.0 i'll just provide the description client app registration url i'll say https localhost keep the authorization grant type as in authorized code for authorization endpoint url and the post token url i'll go to the active directory again go to the backend app registration url and i'll copy this authorization endpoint url use it here and then copy the token url as well select this option post so that it authorize both get and post request on backend app i'll go to the back-end app expose an api i'll copy this scope and this scope value we need to provide it here now go to the app registration manifest change this manifest value to 2 because we are using version 2. so if you are using the endpoint url version 2 which is this one then make sure your app registration manifest access token accept version value as a 2 instead of null if you are using version 1 then it's ok you can leave it as is copy the client id i'll copy the secret which we have created last time copy this particular ground authorization url click on create your open id configuration in api management is configured successfully this particular url which we have copied go to the client application authorization settings add new platform select web provide the redirect url select its token and id token as well it's under automatically saved that's it let's protect our api with the oauth which we have configured i'll go to the api i have the echo api which is our default api for now i'll go to the settings select the security option instead of done to or2 select the security or to configuration which we have configured just now click on save to protect our apis with the jwt inbound policy i'll copy this jwt inbound policy configuration available on the microsoft documentation link i'll be posting in the description we'll copy this and then replace this url this url you can find it here in the documentation as we are using the v2 so we can use the url as is or you can find the url on the endpoint section which is this one this is the url which we are talking about and then you need to copy the back-end app registration back-end app id so i'll copy the button application id for the back-end app registration copy the policy section i'll go to the echo design and here in the policy section we'll configure the policy i'll go ahead and define the inbound policy for the jwt token validation i'll click on save let's test the api now as we are not passing the value for the valid token we're getting the response back as in 4 0 1 once you modify the security settings for your api management and you configure the policies in order to reflect these settings in your developer portal make sure you publish the developer portal i have already published the developer portal so that the changes gets reflected on so the changes are published successfully let's go to the api try it select authentication code so i'll be using my active directory account i'll use my active directory account password account is successfully verified and now if i scroll down the jwt token has been generated this is the token now i need to provide the subscription key so let's grab a subscription key for your api management i'll go to the unlimited subscription key so the subscription key copy and that's what i am going to provide let's do that so she'll be able to call the api now let's see if i do not pass the authorization code let's say i'm expecting now to get in 4 0 one error it is not authorized so that's how you can protect your apis with the azure atp to see so couple of things to note first make sure once you make any changes to the developer portal configuration from a configuration or settings from here make sure you are publishing the developer portal for example this is the setting which comes under the developer portal group so if you are making any changes to here make sure you are publishing the changes or the publishing the developer portal in order to get the effect on the developer portal for example get the effect of the azure security authentication next default scope so your scope has to be the backend api scope which we have used and defined and that's the reason we have defined this particular scope and the last thing which is about the inbound policy which we have configured for our api management so like if i expand i'll explain it this is the jwt validate policy which is basically authorizing our inbound jwd token so what we are saying if it's unauthorized then this is what the message we would like to send to the user or the request message this is the open id config which we are using to grab or validate the token and this is our backend api app which we are going to use to validate the token i hope this was helpful to protect your backend api with the help of azure active directory authentication mechanism if you like the video please give it a thumbs up don't forget to subscribe the channel see in the next video thanks

Info

Channel: Our Cloud School

Views: 13,431

Rating: undefined out of 5

Keywords: protect Your Backend API with Azure AD using APIM, API Management

Id: _FigPkMbinU

Channel Id: undefined

Length: 11min 10sec (670 seconds)

Published: Sun Apr 04 2021