Protect your APIs in API Management with Azure AD

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone in this video we are going to see how can we use Azure active directory to protect back-end apis in our API management and as you can see in this diagram there are a lot of moving pieces so we will try to break them apart and make it simple for you first step we are going to create a function app and import it in our API management then we are going to go to the Azure active directory to register two apps backend app is going to represent the function app in our API management then we are going to register Client app which is going to represent the developer portal of API management then we are going to configure os2 authentication for the developer portal in our API management and use that to test our scenario then at the end you are going to see how can we use validated GWT inbound policy to validate the incoming token in the API request let's get started by creating a function app and import it in our API management so let's go back to the portal and let's go ahead and create a new function app let's go ahead and create a new one let's put it in our Dev Resource Group and let's call it active directory apim all right let's choose.net version 6. and let's host our function app in Australia east region let's go quickly to the monitoring tab to disable application insights logging for our function app let's go all the way down to create our function app all right my function app is now ready for me so let's go ahead and create a new function let's go ahead and create a new one based on HTTP trigger and let's go ahead and create it all right now we are all good let's go back to our Dev API management and let's go to apis and import the function app that we have just created let's go ahead and browse for the function app let's select active directory API m and let's go ahead and select that and add it into our API management all right let's go ahead and test the get operation of our function app let's send a request and 200 okay all good now let's get back to our diagram so far we have created a function app and imported it into our API management the second step we need to register these two apps in our active directory one app for the backend function app and we client up for the developer portal so let's go ahead and do that and let's start with the backend app so let's go ahead to my Azure active directory let's go to app registrations and let's register a new app I'm gonna call it backend to make it easy for us to spot it and let's go ahead and register it then let's go to expose an API and let's set an application ID for our app and let's go ahead and add a new scoop let's call it function at dot default and let's copy this over into the admin content display name and description and let's go ahead and add our scope all right this is all we need to do for our backend app so I'm gonna open a new tab to register The Client app which is going to represent the developer portal of our API management so let's go to my active directory again and let's go to app registrations and let's register another app I'm gonna call it Client app and let's go ahead and register it in The Client app I need to go ahead and create a new secret so let's go ahead to certificates and secrets and let's create a new client secret I'm going to call it secrets and let's go ahead and add it as I'm here it's going to be very important to copy the secret value and take it with me because once I browse away from this page I want to be able to see the secret value anymore now let's go to API permissions and let's go ahead and add a permission going forward apis that my organization uses and let's go back to my backend app and go to the overview Tab and copy the client ID of my backend app and let's search for it in the client app all right let's go ahead and select my backend app and let's select my scope that we have defined in my backend app and let's go ahead and add a permission for this now let's go ahead and Grant admin content for the default directory all right now we are all good for Azure active directory apps so far we have created these two apps backend app and Client app and we have authorized that lined up to consume the backend app based on the scope we have defined already before now let's get back to my API management and let's configure os2 authentication for my API management so let's go to OS 2 and open ID connects and let's go ahead and add one for the OAS 2. I'm going to call it active directory and in the client registration URL you can put the URL or the page where users are going to direct it to manage their accounts however if you don't allow users to self-manage their accounts you just put a placeholder for this URL as simple as localhost then I need to specify the authorization in the point URL and token on the point URL and I need to get back to the Microsoft documents that will accept Lane what I should provide in these values so let's scroll down and try to find the authorization URL in the points and since you are using OS 2 so let's go ahead and copy this line and let's put it in here as you can see I need to provide my Azure active directory tenant give it in the URL and you can get it by going back to any of your registered apps and let's go ahead and copy the tenant ID of your active directory and let's put it in the authorization in the point URL now let's stick on the post method of the authorization request method as well and then coming to the Token in the point URL again let's go back to the documents and let's scroll a little bit down and let's go ahead and copy the token end points and it's supported in the token in the point URL and same as before I need to provide my tenant ID let's copy it from my backend app and let's put it here as well all right now I need to specify the default scope and let's go back to my back end and go to expose an API and let's copy the scope that we have defined before and let's put it over in the default scope value now I need to provide that client credentials client ID and secrets for The Client app that we have created so let's go ahead to the overview tab in my client app and let's copy the client ID from here and let's put it over in the client ID section and in the client secret here let's go to our client app Secrets this is the secret value that we need to provide and if you remember I told you to copy it aside so you can use it later if you didn't feel free to go ahead and create a new client secret and copy the secret value straight into the API management oauth configuration now as you are filling in this information you are going to see these two text boxes has been all too generated for us now I'm gonna go ahead and copy the authorization code grind flow and put it in the client app Authentication I'm going to add a platform I'm going to select a web and let's put the URL we have copied from the API management OS to configuration and let's go ahead and configure it now let's get back to my oauth 2 configuration and let's go ahead and create it all right we are now good we have created our OS 2 server for my API management now let's go to apis and let's go to the active directory API M then go to settings and let's scroll down and select os2 and let's select my active directory oauth 2 server that I have configured in my API management instance and let's go ahead and save our changes all right getting back to our diagram now we have configured os2 server in our API management next step is to use the developer portal to test the scenario but before we will be able to use it we need to go to the developer portal portal overview first and let's go ahead and publish our developer portal it might take few minutes if this is the first time you are going to publish it and now my portal has been published let's go ahead and open the developer portal so we can test our scenario alright let's keep pressing on control button if you are using Windows and go to apis active directory API M and let's try this API as you can hear there is no oath let's go ahead and select authorization codes and let's get rid of this window and then as we are doing this you might be able to see that there is an authorization header has been added to our API management request and as we are going to send this request the authorization header with the token value being received back from the active directory is going to be added to my API requests so let's go ahead and send the request as you can see here we need to enable cors so let's go back to the developer portal overview and let's enable cors and let's go ahead and enable it and now let's go ahead and publish my developer portal one more time let's get back to my developer portal and let's refresh this page all right let's go ahead and try it one more time and again the authorization code has been selected let's scroll down and let's send the requests as you can see here we are getting 401 unauthorized because we didn't include a subscription key and this is because I didn't put my API in a product when I firstly created it so let's go to my active directory API M let's go to settings and let's put it in start our products let's go ahead and save our changes now let's go to the portal overview and let's republish the developer portal one more time let's go back to my developer portal and let's refresh this page all right and let's go ahead and try it one more time authorization code has been selected and as you can see here a subscription key has been provided for me and this is a token that we received back from the active directory as you can see it now let's go ahead and send the request we are getting 200 Response Code and the responsibility we have already created in our function app all right that's so far so good we have created everything we need to create and we have configured them in a way that will allow them to talk to each other smoothly now the only thing we need to provide here is to put a validate GWT token in our API policy so let's go ahead and do that let's firstly get back to the documentation and scroll down to find validate GWT policy and let's copy it over into my apis active directory API m and let's go ahead and put this policy in the inbound section now we need to change it a little bit again I need to put my tenant ID in the URL here so let's go back to my backend app I've registered and let's go ahead and copy the tenant ID and let's put it here now I need to provide the client ID of the backend app as well so let's go to the backend app and copy the client ID of my backend app and let's put it here as well now let's go ahead and save our changes and let's go to the portal overview and its population the developer portal one more time and let's go to this page and refresh it and let's go ahead and try our API let's scroll all the way down and let's I need to specify the authorization code first let's scroll down yep the token has been already attached to the request and let's send a request and as you can see here we are getting 401 unauthorized probably I missed one step so let's go to the backend apps and let's go to the Manifest and I'm going to change access token accepted version to version two because this is what we are using oauth 2 and let's go ahead and save my changes and let's do exactly the same for the client tab let's go to the manifests let's change access token accepted version to two and let's go ahead and save our changes I'm going to close this tab and go back and publish my developer portal and open my developer portal again all right let's go to apis active directory API m let's go ahead and try it let's select authorization code and let's send a request as you can see here we are getting 200 Response Code and the response body that we have already configured in our function app and going back to our diagram this is what we have implemented to protect our backend apis in the API management using Azure active directory and we have used the validate GWT inbound policy in our API management to help us enforce that the incoming requests to our API management coming up with the right or valid token that active directory recognizes and validates and we have used the developer portal to test this scenario that's all I have for you in this video thanks for watching and I will see you in the next video
Info
Channel: Hussein Awad
Views: 2,030
Rating: undefined out of 5
Keywords:
Id: BJUfaeZ1hHg
Channel Id: undefined
Length: 16min 54sec (1014 seconds)
Published: Mon Sep 18 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.