Protect APIs in API Management using Azure Active Directory

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so recording has started once again uh this call is being recorded and we place our recordings on our YouTube channel if you don't want to be recorded you may want to drop off now so thank you again and welcome to another section of azure power lunch here is a quick agenda we are going to be talking about how we can use Azure active directory and oauth to protect our apis in API management um I think we discussed this topic briefly but some things have changed we have um a new version of active Azure active directory for some time V2 they have simplified things so we're gonna see how quickly we can protect those apis and you know most organization which are security sensitive they don't want to use just the API key yes API key is there you can use it and we'll still be using API key but the main authentication will happen through oauth and Azure active directory okay so here's the quick agenda we will quickly go over API management just one or two minutes to do a level set then we will go over the a couple of slides on um you know how we are doing it and most of the time will be spent on demo okay um so that's the goal so let's quickly go over Azure API management this is a logical architecture it's an API broker service from Microsoft it allows you to separate the implementation of your API from a presentation okay so your apis may be implemented in soap rest or they may be using different sort of authentication or you know um kind of a different sort of format but you can use this middle layer this broker to expose those apis to your end customer and to your own organization in the way you desire so that's how we are achieving this kind of a separation of implementation of the API versus the presentation of the API and um just wanna mention that a detailed discussion about API management is out of the scope of this meeting please there's a many videos we have covered API Management in the past look at those videos or look at other material if you want to know more about Azure API management okay second thing is quickly let me just go to the next slide so this is the high level architecture um of kind of where we talk about API management and as you can see here this is the authentication piece we are talking about you have the middle tier you have a developer portal this is the where you are going to be consuming those apis you apply for subscriptions and all that you have the Gateway which is the key piece which is the actual broker which does um kind of uh you know actual brokering of the API and then you have the Azure portal itself where you set up you do the management of API management actually you know feature and just keep in mind there used to be a management portal as well for API management is you know deprecated so with that um let's see any questions so far uh one thing that I want to mention here so this is kind of how this uh uh whole thing works in regards to how you protect your apis with uh API and you know with Azure 80 and or2 so first of all you have a client app that is trying to call an API in Azure API management so first thing it does is this app will get a token from Azure active directory so and you have already set up to app registration one to represent the client app and want to represent the API app or apis in your Azure API management and by the way we'll go through these step by step and actually do it in the demo Okay so that's that once you get that token the next thing you do is use call the API with this token and once it goes to the API management it will go back and check with the API with Azure active directory okay yeah I got this token to validate it and once that is validated and how it is validated is through a JWT policy so you have as you know the API management allows you to apply policies for rate limiting for uh transformation just like that you have a JWT policy which allow you to validate a agility token and JWT token and once that is validated uh and confirmed then it returns back the results too uh um Client app okay so that's how um kind of uh this whole flow works if there are no questions I would like to move to the next slide so these are all the steps and what I've done is I have outlined those steps here with the appropriate resources so if you are trying to follow this through the demo or through you know to the slide deck you should be able to um get to each step and so before we go any further uh please let me know if any questions and we are going to jump into a quick demo okay so here we go so here is an API management resource that I have created and I'm not going to go into the detail it has I have imported different apis and one of the API is the APL auth demo it's just importing the conference API if you look at the Azure API management site it gives you a kind of a sample API that you can import you know just for a quick start that's what I'm doing okay if I want to call this API I can go into for example I want to get sessions what I can do is I can go into the test and I can select the appropriate product and I can say okay send and it will call the API and it will return all the information as you can see there is no authentication set up at this moment as we speak so what we're going to do is in the next 20 22 minutes we're gonna set up the authentication and test this thing up so let's see I mean um let's see how we can do it so please um follow me and let me increase the font size a little bit so everybody can see it better okay um so with that let me just quickly do one thing here yeah so I'm gonna go into the Azure active directory and uh okay so first of all I am going to go into the app registration and I'm going to create an app registration for my um for my API app okay so let's do that first so I'm gonna go into new registration and I'm gonna name it very creative name um so here we go three okay and um that's it I'm not gonna do anything and I'm just gonna register it okay so this is the and by the way if you look at the steps I am just following the step create an API registration this is the link okay second thing we are going to do is we are going to do app roles to our app registration before app roles were available through manifest and they were kind of a clergy to do but now they are the first class citizen so I'm gonna create app roles okay so first app role I'm gonna go in and I am going to uh call the first app role con members and I'm gonna say you can add both users and group and just for the sake of Simplicity and to save time I'm just gonna give to give the same to description just keep in mind if you just do user and groups then you can add add Azure ad users and groups but if you do both then you can add applications as well which is a good thing okay depending on if you need it or not okay that's the first one second role is that we're gonna add and let me explain why we are doing this the reason why we are adding roles because we may have different users so we have different apis we don't want every user to call every API we want to make sure that users can only call certain sets of API and we can set this authentication up either at the API level or at the API operation level so think of it we are doing R back for our apis that's what we are trying to do so we did the roles let's see what is the next step so we go in now we need to add users and groups to these roles okay in order to do that we will have to go to the overview and we have to go over in the service principle we go in there we go into users and groups and we say add user and group and first of all we speak the user and we pick um you know Dak Prescott and we add him as a member sign and we will repeat this step for a few other users um and we do Azure admin and um select and then we assign it to conf admins and the last thing we do is we again pick and to be honest this user interface could have improved been a little bit improved um like you know allowing you to select multiple roles so we don't have to do this like multiple times okay but in any case let's do it and then we add him as conf member as well okay so now that is done okay we have all the rules set up let's see what is the next step okay expose the API and the scope so we now have to expose this API I mean as a API that's a step that is needed so let's go back to rep registration go to expose an API and let's say add a scope first of all it will say add application URI this is just a good you just say Yes And in regards to the scope you go in and we add the um scope of uh API dot call okay and we say admin users and we just copy it everywhere you know and we add and by the way you can add multiple Scopes as well and you can give user access to different Scopes and you can use those scopes in your uh JWT token as well so you can do that as well we are not going that far but um that's uh what we are trying to do okay so here we are gonna try to do our first test and we will use um um you know um what we call Azure CLI to do that okay so let me just open Azure CLI give me one second in the meantime any questions okay uh give me one second yes so what I'm gonna do is I want to show you something here let me just move that window Azure CLI here and I want to show you something so what I'm going to do is I'm going to try to get a token for my app using the ID that I signed in so let me go there this is my app this is its client ID so this is the client ID that I'm gonna copy and I'm going to try to get a token with that okay so let's do this and we come here so what we are trying to do is we are trying to get a token um and we will get an error okay why we are getting an error it is saying that you are trying to use Azure CLI to get a token at this moment our client app is azure CLI Azure CLI is acting as a client app but Client app has no access to our API okay so what we have to do is we have to give the client app which is and by the way this is the app ID the this good that you see that I'm highlighting that's the app ID of the Azure CLI so we are going to give Azure CLI authorization on our API but just keep in mind it doesn't mean that anybody can call it it still it will allow us to get a token on that behalf that's all it will do okay so and if that user is authorized then anything will move forward so here is what we are going to do we're gonna go into API uh sorry we're gonna go into um expose an API and add a client application we will post the client ID this is the client ID of our Azure CLIA app and we're gonna say add okay done that's it so we we did it we added it let's try to run that command again and let's see what happens if we save it or not let's double check it this is saved it so why it is that's the fun with the live demo okay I think I missed the login let me just log in again sometimes it takes a minute yeah you know that's the thing with the live demo it's uh sometimes you don't have that minute there we go here we go yes okay I signed in now let's go back there and let's try it again yes okay so finally we got the token okay so let's take this token and analyze it and I think everybody I hope everybody is familiar with this uh you know uh jwd that they did and I'm going to go to this side I guess this token here and let's see so look this is so I am logged in as Azure admin I am getting a token for the API app using Azure CLI Azure CLI is allowed to request a token just keep in mind it's requesting a token on my behalf and look at that you know Azure admin IP address all the fun stuff this is golden this is what we were looking for so it has those roles you remember you know um I added myself uh Azure admin to those roles so those roles are showing up here you know so that's the key thing to note down okay so once we have those roles let's see um and now let's set up our uh you know JWT token and try to set up our validation for uh for that API and folks I know there are a few steps but please feel free to ask if there are any questions okay we go back here we go to design all operations and I'm going to apply a policy at the top level I'm going to click add policy and at this point I am going to select uh where is that yeah validate JWT and there are two ways you can do the full or you can do um you know until I fill it up like this so here is what I'm gonna do I'm gonna fill it up so first of all um the name of the header is authorization yes that's the name of the header total one unauthorized in the case if there is an error what message we want to show we want to show that this is the and you can customize that message but I'm just gonna paste this message that is there access token unauthorized access token is invalid in regards to the audience I'm gonna add two audiences here one um is the um and let's look at the token what audience we have here you see this is the audience this is the audience okay so I'm just gonna copy that so this is just a plane yeah that's all I'm doing here nothing transition or this I'm gonna add another audience because sometime audience appear without um this API prefix so here we go we're gonna add these two audiences here and I'm gonna add the open ID URL and this is unique for my tenant so let me copy that and paste it here um here we go paste it here and then I'm gonna add the claim so the claim that I'm gonna add is um there are uh the claim that I'm gonna add is the roles claim okay so when I say this is roles all any claim and I don't care about the separator and I want the role to be in confidence so I want this API or all that methods underneath I want only to be called if the user is in conf admin okay got it anything else folks uh with that I'm gonna say save and it's gonna save it and let's take a look at the policy so we have audiences we have everything um set up one thing that is um uh kind of uh is also needed is an issuer so what we're gonna do is we're gonna add the issue or claim as well just to be on the safe side okay save it so now this API is authenticated and you can only call it once um you have a valid JWT um token so let's try to call it now without the token and then we will call it with the token so if we call it without the token um and let's trace it yes okay you see that 401 unauthorized access token is missing or invalid basically there is no access token so let's do that let's add a header and in that header we're gonna call it authorization and we're gonna call it Bearer this is how you send an authorization token you put better space and then you use whatever we have here okay so I'm gonna just copy that from here and go back here paste it so my token is all set up and that's crossover fingers and press it here we go 200 okay look magic so think of it few steps creating the app roles everything is set up we are able to Now call the API uh through that particular token and ID okay very simple so okay now we're gonna take it a little further I mean normally you won't be calling in apis uh through CLI you will need another app to call it so let's go to our next step which is create an app registration to represent the client app in API management okay so that's an important step that we have to do to make sure that we have a client app um you know um to call it so let's go back to our app uh registration and let me create a client app here now so we go into the app registration and we say new registration and we call it a client app3 and we don't change anything we just say uh register at this point you have registered The Client app and it is done one thing we haven't done is uh and let me just duplicate the tab here well one thing we haven't done it yet is give this client app access to our um you know to our API app okay just like we did if you remember um the Azure CLI client okay so let's go into the app registrations and let's look at our um I can let you find our server app or API app you go in here and now we uh go into the expose an API and what we're going to do is you're gonna copy the client ID of this app add a client application add a that's it so now we have added the client application okay folks we are gonna call we're gonna call it from a.net application this API using this client app registration okay in order to do that what I need to do is basically add the uh um you know add a URL you know so to make sure that this thing is um able to post back the token so because when I'm we're gonna use a Azure API so I'm gonna add a platform since this is a mobile uh this is a desktop application I'm gonna select that and I'm gonna add http localhost oh placed host uh localhost as the URI okay so we saved it so now it's gonna post back the token so let's go to now our uh c-sharp app where we are going to be making a call we have three minutes so let's hopefully we can do it hopefully everybody can see my screen everything is here this is my scope I'm just gonna change it this is I was testing it out so let me use the um you know app ID um from here as the scope so this is I'm gonna copy it sorry wrong window I'm gonna go into my C plus plus application paste it here so this is uh you know my uh API app go ahead now let me quickly go in here and uh go into the client get that good that's gonna be my client app um or your client ID that's I'm gonna paste it here and uh now let me fix the URI so this is the URI that I'm using and let me go back here and go into API app and let's see what is the URI that we are sending it to so let me just go back here and quickly paste it here and now let me call this API subscription and everything is the same so let me run it any questions so far I know we have two minutes oh sorry so this is the screen and it's gonna uh authenticate it's going to open a window to authenticate second yes so it sends an authentication URL I'm gonna copy that URL go ahead please question okay so I'm going to paste this URL here and um so this is where my other persona that got Prescott is signed in as you can see here so I'm gonna authenticate with that I just want to show you if we do sign in so it's gonna sign in It's Gonna uh no replied I said that's interesting why it is saying that maybe it takes some time for that change to get into effect but the idea is once you [Music] um oops I think it don't save the change my mistake that's why that's a lot for a power launch Naveed it's power packed lunch today it's great thank you sir thank you very much yeah so uh I think I um have may have made a mistake here let me do this this is that so I may not have saved it so let me just do that again http localhost I know we are right on time so yeah that's been added here so we may not have added it to the right place so this please forgive me on that uh let's uh stop it and let's run it again and hopefully this time we can you know fingers crossed yes okay so yes so here is the sign in window I'm gonna copy it I'm going to paste it here and let's run it again uh yes so it says authentication complete okay but look response so we got an error from the API why because that dot Prescott is not in the role of conf admin you only have conf reader so you see that he has the key everything is there but since he is not in the role we are not able to call the aps it's kind of an R back for the API we are able to do just with API management JWT policy Azure ID and A4 uh any questions folks great presentation love you thank you folks thank you very much so we just saw we can block uh the uh I mean we can allow and block based on the um you know users credential in Azure ID so if there are no questions I'm sorry I ran over a little bit but thank you for your time and hope to see everybody uh next week for another session of um Azure power launch

Info

Channel: Azure Power Lunch

Views: 14,427

Rating: undefined out of 5

Keywords: 5-26-2023, Azure Power Lunch, Naveed Zaheer, Protect APIs in API Management using Azure Active Directory

Id: hzfpHvA5Wg0

Channel Id: undefined

Length: 30min 55sec (1855 seconds)

Published: Tue May 30 2023