Protect an API in Azure API Management using OAuth - Step-by-Step Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to my YouTube channel in this video we are going to learn about protecting your apis in Azure API management using oauth by end of this tutorial you will be able to secure your apis in Azure API management with oauth so it can be accessible only by authorized users before we begin let me give you a quick intro to Azure API management and oauth Azure API management is a fully managed service that helps you create publish and manage apis for your applications it provides you with various tools and features to make sure your APS are secure scalable and easy to use I have made a series of videos on Azure API management I will leave the links in the description below you can go over there now let's talk about oauth oauth is an open standard for authorization which allows third-party applications to access your apis securely without sharing user credentials by using oauth you can provide granular access to your apis ensuring only authorized users and applications can access your protector resources now let's look at the watch flow in the workflow the client never uses the username and password to access the backend API instead he uses the access token which is obtained from the identity provider client passes client ID and client secret to the identity provider to obtain the access token this access token is passed to API management then the API management validates the access token against the identity provider if the access token is valid the request is served otherwise the request is denied now let's look at this in the demo I'm in my Azure portal I have already created couple of resources I have created Azure API Management Service I have also created a simple API Azure function which returns a simple Json response message this will act as a backend API for our demo which will be fronting with Azure API management and we will protect this backend API using the oauth to begin with first what we have to do is we have to register the client applications for that go to Azure active directory in app registration first we have to register two applications the first application which represents Azure API management let's name it as API this application represents the actual apim results leave everything to the default and register we have the resource application ready now go to expose API and set the application ID URI hit save and copy the URI for the letter use and go to the app roles just let's create some app roles in our case we are simply reading the message so it's like a reader an application and the value will be the reader these role details will be passed to the backend API as part of your access token reader and apply okay we have an application ready which represents the actual API now let's create another application for the actual client just want to call it as apim iPhone user leave everything to the default and click on create we have another application ready go to apa permissions add permission missions assign the permissions on our backend API yes we wanted to give the reader access here for your backend API you have apim iPhone resource application which represents actual backend API and it has certain roles now you can have a different application registered for different consumers and you can select the permissions differently for reach consumers this permission will be passed as part of the access token to your backend API add permissions just don't forget to Grant admin consent because we are using Azure API management we also need to give access to Microsoft graph application permissions scroll all the way to the down all it needs is user read and write read all right all just add permissions and Grant admin concept here as well yeah that's all done now the next thing we need is we have to create a client cycle rate client will use his client ID and this secret he will pass this information to the authorization provider our identity provider to obtain the access token let's create a client secret description can be secret simply and leave everything to the default click on ADD so we have the secret ready just make sure you copy it because once it is gone it is gone you can't access it again now if you go to the overview you have the client ID as well just grab the client ID we're going to pass the client ID and client Secret to obtain the access token we have the client registered we have the backend app registered now if you go to API management apis let's add our backend API as one of the API here we can directly pick it from the function app because it's a function app browse in the search filter in facto select sample API select create we have the sample API added here we can simply go here and do a quick test to see if it works yes this is working HTTP 200 okay and we got the message now to protect this API using oauth what we can do is go to the design and in the inbound policy we can add a policy to enable the what all we have to do is we just have to add this piece of the policy in the inbound policies this will enable the oauth authentication what this policy will do is this policy will look for authorization position header barrier token and validate the token against the identity provider we can also configure this in the name value collection if you want we can simply maybe cut this and say appco and save it and go to the name value add a name value is our scope we have added app scope as a name value and if we go to our API and Factory API sample API now we have successfully configured oauth to protect this backend API let's test our changes let's bring up the postman so let's obtain the token to obtain the token as we have used Azure active directory as an identity provider this is the token in point and this is your tenant ID we have to pass the grant type as client credential because it is just to protect the backend API and we need just access token and we pass the client ID and client and secret of the consumer then the scope this is the apim resource scope which we have registered initially so we have to pass the scope this is the API M scope if you hit send we should be able to retrieve the access token yes we got the access token if we use this access token we will be able to access our Azure function if I go back to our API management and test console here let's see what happens if we hit send directly without passing the access token now that we have configured it with the JWT token it should validate so it should come back with 401 unauthorized because we haven't passed any access token 2 to access the API let's pass the access token now in headers we add it as an authorization header authorization and the value is Bearer space your actual token and hit send we are able to successfully access the Azure function Now by passing the barrier token if you mess up the barrier token for example let's say just to prove the point just put in something here and you just hit send and boom it will fail 401 so it will validate your access token against the identity provider in our case Azure active directory and when the token is valid that is when it will allow the or it will pass the request to the backend API we you can even inspect the access token using if you go to um JWT slash Ms you can simply is inspect your access token see it has our scope and all the information even the roles and everything the backend API the role information is passed to the backend API the backend API can use this role information for further processing if you like the content Please Subscribe like comment and share the video I will catch you in the next one until then this is signing off thank you
Info
Channel: Sri Gunnala - Tech Talks
Views: 6,158
Rating: undefined out of 5
Keywords: AzureAPIManagement, OAuth, APIsecurity, AzureActiveDirectory, OAuth2, APIManagement, AAD, APIProtection, APIAuthorization, AccessTokens, AppRegistration, APIPolicies, MicrosoftAzure, APIGateway, AzureOAuthIntegration, azure api management oauth2 setup, azure api management jwt token, azure api management jwt, azure api management jwt validation, azure api management, azure api management security, azure api management oauth, azure api management oauth2 tutorial, azure api management oauth2
Id: s724GgNUt1g
Channel Id: undefined
Length: 9min 13sec (553 seconds)
Published: Thu May 04 2023
Related Videos
Securing Azure Function Calls with Azure AD and Calling From Azure Logic Apps
Sri Gunnala - Tech Talks
1.3K
Mastering Azure API Management - Demos and Best practices
AzureTar
2K
API Authentication with OAuth using Azure AD
Azure Power Lunch
93K
Securing Your Web API with Azure AD B2C JWT Validation Policy: A Step-by-Step Guide | Azure | LSC
Learn Smart Coding
6.2K
API Protection with RBAC and APIM | APIM Inbound policy and RBAC | Role assignments to APIs in APIM
Our Cloud School
335
Protect your APIs in API Management with Azure AD
Hussein Awad
714
Protect APIs in API Management using Azure Active Directory
Azure Power Lunch
5.3K
API Testing Using Postman | Crash Course
Mukesh otwani
27K
The Ultimate Azure API Management Course
Hussein Awad
91K
Azure API Management Core Concept - step by step tutorial for beginners
DEVREAL with Sven
13K
API Management | Protect Your Backend API with Azure AD using APIM
Our Cloud School
12K
Web Api Calling Web Api Azure AD(Active Directory) Authentication and Authorization
AzureTeach•Net
12K
Azure AD Authentication Secured API | Test Using Postman
Sharp Programmer
29K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.