Secure Azure App Service & API Management endpoint using oAuth 2.0 with Azure AD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello my name is chris isaiah and i'm certified as a architect recently i was asked to set up and configure api management in azure while configuring i found some challenges specifically in the areas of securing the backend or the app service and configuring oauth 2.0 so i thought it would be a good idea to put a tutorial together where i focus in the areas where the microsoft documentation was not clear let's get started before we start configuring resources let's visualize our objective on your left hand side you're seeing simplified user to system and system to system interaction in short we want the users be interacting with the azure api management and if somehow they discover the endpoint for the app service and they want to access it directly we will give them access tonight here is a summary of all the steps involved as you see there's a lot to be covered so i would strongly recommend that you go to the microsoft documentation and this is the document that i followed for my tutorial follow this do the steps and only refer to my tutorial if you have issues or you need clarifications and if you just wanted to stand up a protected app service without an api management you would follow this document to save some time i'm going to use one of my apis to deploy one thing i would recommend is that you implement the swagger this will save you a lot of time down the road okay so let's publish this now that it's published let's test this okay as you see it returned 200 with some data next i will be importing the app service into api management as you see microsoft made life easy i can just pick my app service plan and import it but i could also go through the open api since i already have a swagger but let's take the easy route okay and for the suffix i'm just going into a demo let's say three create now if i was testing the api endpoint using postman i would get access denied because of the subscription key let's remove that requirement from the settings okay let's try our postman again it takes some time okay now at this point i have both of my endpoints the apim endpoint and app service endpoint wide open to the public our job or our objective is to secure both endpoints using oat let's review the items that you will need to secure your app service endpoint as well as the apim endpoint so you definitely need your tenant id you need set of endpoints for or2 as well as the callback for your app service you need the app id for your app service the scope and don't forget to put that default at the end you will also need your client id this is the test id that you're going to test your configuration and you will need the policy that you need to configure your apim endpoint now let's register the backend let's go to the manifest and update the access token accepted version to 2 since we plan to use oauth version 2 and save that okay now let's add a scope before we do that we need to set the app id uri and save that somewhere for future use add the scope name it to something that is not just for display purposes okay for the backend app let's enable the id token from authenticate now go back to your app service and from authentication click on add identity provider click on microsoft and we're going to pick an existing registration and pick the app that we just created a few seconds ago then click on add at this point our app service endpoint is secure so if you try to send a request you're going to get unauthorized so the next step is to access our endpoint using or 2.0 let's register the client app that will be accessing the secure endpoint let's add permissions to the client app that we just created and this is the scope go ahead grant admin consent let's update the access token except version 2 since we're going to use oauth2 and save that for the client app next let's create a secret or password for the client app okay at this point you've configured out for the app service let's test it out let's get token proceed use this send it and now we're getting data back okay just one minor thing when you're entering scope put dot default at the end okay so at this point only your app service endpoint is working but not the api and then void points so if you try to trigger a request through your api endpoint you will get permission denied but if you send the token information then you will get some data back now if you were to use this same client id then you would stop here and there's nothing else that you need to do but if you want to use a different client id there's this couple of other steps that you need to take go ahead and turn on the managed identities for the apim in the real world scenario you would go and create a new scope for this back-end service and create another client app to register or implement that scope but to save some time i'm going to reuse the back-end service or back-end registration and the client registration that we did earlier on to save some time i've gone ahead and created a new oauth i'll just scroll down so you can see the values now let's go to the api settings scroll down to o up and pick the odd that we just created few seconds ago one last step let's add a policy and then we are set to test our api let's test our api man point get a token send a request and we got data this concludes the tutorial and i have couple of slides explaining the benefits of the apim i hope i demonstrated this first point at least and if you need to dig in more there's some references at the bottom and on the last page thank you for watching

Info

Channel: Khatchik Isayan

Views: 2,708

Rating: undefined out of 5

Keywords: API-M, Azure API Management, Azure App Service, oAuth, Azure AD

Id: TRrBqNYtyj8

Channel Id: undefined

Length: 8min 38sec (518 seconds)

Published: Fri Jul 02 2021