Learn how to develop with Azure API Management & Credential Manager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone my name is Julia and I'm part of the Azure API management team here at Microsoft with me today I have Logan who is one of our Engineers on the team and we have some exciting new demos some new features in the product to show so today we will be talking about credential manager formerly known as authorization it's a brand new feature in the product with some new exciting capabilities which we will be demonstrating today before we jump into the demo let's talk a little bit about the basics and let's talk a little bit about what credential manager is credential manager is a central repository within your Azure API management instance you can use it for managing storing and controlling access to your API access tokens with credential manager you can greatly simplify the process of authentication and authorization and we all know what a big pain point this can be whenever implementing right so in particular credential manager helps with your API access tokens from the acquisition caching refreshment and storage of your API tokens and all of this without having to write a single line of code let's take a more detailed look at oo2 a secure and standardized protocol for authorization so all oo 2 involves requesting an access token from an authorization um server and returning this access token to your client so the token can be used to request access to your resources as you can see there are a lot of steps involved and implementation can be very complex developers also have to make sure they are always keeping up with security best practices so with credential manager we will support you with your oo implementation we will help you retrieving your API access token we will create a so-called Connection in API management with the API access token information we will take care with the refreshment of these tokens so everything stays up to date and whenever you want it to use you can just go ahead and do so and finally with access policies we will make sure that managing access to your tokens stays secure and safe and you can only use it or only allowed entities can use it whenever they need the information so how can you use credential manager credential manager covers two main scenarios one is an unattended scenario and the other one is an attended scenario let's take a look at the unattended scenario as a first step we have to do some configuration and API manager for example goes into your Azure API management instance and configures a new credential provider after this a preconfigured connection will get created with access policy assigned to API management managed identity and then during runtime this could be for example a Time triggered Azure function the Azure function will call our API endpoint and Azure API management and Via our get author iation context policy we will get the API access token for you from the preconfigured connection and then we will attach it to the API call to get the inform information we need so this is already something we've done before let's talk about the new capabilities let's talk about the attended scenario here and what does this scenario look like again some configur configuration are needed here again again again an API manager configures a credential provider but only the credential provider and not the connection because the connection actually gets created when for an example a user logs into let's say a static web app this will trigger the process of creating a new connection for the user and then during runtime a user triggers our a API endpoint for example by clicking a button on our aesthetic web app and this will call again our endpoint in Azure API management it will gets our user token it will attaches it to the user token to our API call and then this time we will retrieve data based on the user that has been logged into our aesthetic web app but yeah let's take a look at this what this actually looks like in action and handing it over to Logan awesome thank you Julia we'll go ahead and look at the demo so we're going to go ahead and start within the Azure portal within our Azure API Management Service instance uh so I've already gone ahead and and clicked into the credential manager blade on the left um and we'll see that we already have some preconfigured credential providers like we talked about earlier so I've gone in and I've created an aad credential provider if we click into the settings we'll see a couple different things so we'll see that we are using the Azure active directory version one identity provider and the authorization code Grant type for our user the rest of it is more related to the app registration that we are giving our connection uh to access to we'll go back over to GitHub and we'll take a look at a at a similar story so we're going to see the GitHub identity provider we're going to see authorization code and we're going to see some information related to the GitHub oath app that I also already configured so that's all we've set up for with a credential manager so far there are a couple of prerequisites that I want to point out so over in our app registration uh we'll see that we have an aad app that we've already created uh this is the aad app that is going to be used to retrieve access tokens for our user and what we've gone ahead and done is we've provisioned this Azure API management data plane first party app within our tenant and we've assigned the authorizations read scope to allow credential manager to use uh our users credentials um so that's a little little thing that you need to keep in mind um but that's credential so far I'm going to click over here to apis just to be able to quickly go from here later on but we'll we we'll get to that later so looking at the demo so we're first prompted with a screen to log in in order to view our connections so I'm going to log in I am going to sign into my own account going to wait for things to load and we're presented with a couple different things so we see credential providers up at the top so this should look very familiar to what we just saw in the Azure portal we see aad and we see GitHub so we also see a couple of buttons to create new connections for our user so let's go ahead and click some buttons awesome so we've created some connections we'll see that they're in a bit of an error state right now uh but what's going on under the hood is we've created this connection and we've also added a new access policy assigned to the signed in user so this allows and make sure that the connection that is that is being used is only used by the signed in user so that's something cool to note about the new attended scenario that we talked about earlier but now let's get to the status error so we got to log in in order to use our connections so I'm going to log in and we're going to be presented with the login screen so I've already authorized uh the different scopes for this so there would be an extra step if this was your first time doing that so that's something to just keep in mind uh I'll log in for the GitHub on as well and similar story I've already logged into GitHub so I'm already seeing you know the the confirmation required access is is permitted so but again this has to be only done once right correct yes yeah exactly which is a a nice feature so we'll go ahead and refresh the screen and we'll now see that the connections are connected which gives us free reign to use them at this point so we'll scroll down and we'll look at the available apis so I'm going to pause right here for the demo and we're going to go back to the ad portal and take a look at what we configured within Azure API management so we'll see that we have this GitHub API and the Microsoft graph API looking into GitHub we see a get user endpoint this is simply calling the GitHub user endpoint to re to retrieve uh profile information for the signed in user and let's look at the important part of this though is the policy so API management allows for making complex situations very simple using Azure policy and that's no different with than with credential manager uh so the the important one to note is this get authorization context policy so with this policy we're going to provide the credential provider id and the connection ID depending on your scenario whether it's you know unattended versus attended uh you'll also see the the identity type as jot so for our situation we're using the user delegated permission feature so we're going to select jot and we're going to pass in in this identity attribute our users access token that we use to sign in uh if this was more of an unattended scenario where you just have sort of a general account General connection that you want to be used by a lot of people uh you can assign this to manage and it'll use the Azure API Management's managed identity uh to to use the connections so these things are getting passed into the headers for this demo um and then once the git authorization context policy is called and used it's going to retrieve that access token we're going to validate that the user jot that we passed in is the correct one that created that created the connection and has the same access policyed assigned to it and we're going to retrieve that access token for GitHub and we're going to place it in the set header uh policy to uh for the authorization header and this will allow us to actually access the GitHub API the rest of this is more uh demo related and GitHub API related but if we look over a Microsoft graph it's a very similar story we have the get profile endpoint that retrieves uh profile information from the Microsoft graph API and has very similar very similar policy uh the get authorization context policy that passes in the headers uh needed to get the access token so that's the preconfiguration for the apis that we have in the operations as well so now that that is there uh we can go back to the demo and we can actually use these API operations so I'm going to go ahead and select the aad connection up here that we just created and connected and for this one I'm going to go ahead and use the GitHub connection and so we can actually hit execute and what this is doing is it's calling API management it's going through that get authorization context policy it's retrieving the access token and then it's forwarding it to our thirdparty apis so for GitHub we're seeing response data that's specific to my individual user and then for the Microsoft graph one we're also seeing information that's specifically for me so what's cool about the new user delegated permission feature is if I were to sign in with a different user create new connections for my own user sign in uh connect them I could then call these apis no different than before and I would receive my own individual user information which is a really cool new feature that we're that we're rolling out with this user delegated permission feature uh so that is sort of a really basic scenario one thing that you could do to you know spice things up is you could add different API operations to do some different sort of things so for example maybe you could use the GitHub API to retrieve issues assigned to your individual user and then you could use those issues uh to then call something in Microsoft graph maybe the Microsoft graph to-do API and you could create new tasks uh based off your issues and uh provide a new to-do list that you can walk through and and understand what to do for your GitHub ISS so that's just an example I think it demonstrates the power of the user delegated permission feature within credential manager and uh we're excited to see what you guys can come up with but that's it for the demo uh anything you want to add no thank you um Logan this was super powerful and especially with now you are able to go to Let's imagine the static web um website and you are able to see um data based on the user who's logged in right so this is super powerful and a new capability we are super excited to share with you all today and let me quickly recap on what are some things that we've seen with your demo here Logan is so first of all we covered the um attended scenario yes um if folks are interested in an unattended scenario we shared some links here they can check it out on one of our blog posts for example but if we look at the attendance scenario so Logan sh showed us he was an aesthetic web app he created he already configured the credential providers previously in Azure API management so you showed us what this looks like in Azure API management then he showed us um how to get create the connection yes we walk through the process first it's an arrow yes you're creating it but it needs to get the credentials um in so to be really connected so that's something we talked about as well and then as a final step using these connections that we previously created for these user to make calls to the API endpoints in the context of the user and get user based context um back in our M static web app and then you also talked about a fun little scenario with GitHub and a repo there getting the repo issues out there and maybe even posting it somewhere for example in teams or whatever you want to do um this was super exciting thanks for showing yeah and in terms of what are what what are some next things you can do we shared some links here make sure to check this out and make sure to check out our new scenario our new capabilities and we are excited to hear more from you out there if there are more things you want us to work on maybe some feedback so feel free to reach out um to us we are always excited to learn and hear what you've been um building Upon Our features so thank you thank you guys

Info

Channel: Microsoft Azure Developers

Views: 2,419

Rating: undefined out of 5

Keywords: Azure, Functions, Serverless, Computing, azure app service, azure developers, azure dev cli, azure functions

Id: dA4MiBV6srk

Channel Id: undefined

Length: 14min 54sec (894 seconds)

Published: Tue Dec 05 2023