Securing Your APIs in Azure API Management with OAuth
Heads up!
This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.
Generate a summary for freeIf you found this summary useful, consider buying us a coffee. It would help us a lot!
Introduction
Welcome to our comprehensive guide on securing your APIs in Azure API Management using OAuth. In this tutorial, we will explore how to effectively protect your APIs, ensuring they are only accessible by authorized users. By the end of this video tutorial, you will understand the workflow of OAuth and how it integrates with Azure API Management.
Overview of Azure API Management
What is Azure API Management?
Azure API Management is a fully managed service designed to help developers create, publish, and manage APIs for their applications. It provides a robust set of tools and features that ensure your APIs are secure, scalable, and user-friendly. The primary goal of Azure API Management is to enable you to:
- Secure your APIs
- Publish APIs to external and internal consumers
- Monitor usage and performance
- Control access to your APIs with advanced policies
To enhance your understanding, I have created a series of videos on Azure API Management, which you can find linked in the description below.
Introduction to OAuth
OAuth is an open standard for access delegation, commonly used as a way to grant third-party applications limited access to HTTP services without sharing user credentials. This standard allows you to:
- Provide granular access to your APIs
- Ensure only authorized users can access your resources
- Safeguard sensitive information and enhance security
Understanding the OAuth Workflow
In the OAuth workflow, the client does not use a username and password to access the backend API. Instead, it uses an access token, which is obtained from the identity provider. Here is a brief overview of how this process works:
- The client app passes the client ID and client secret to the identity provider.
- The identity provider validates this information and returns an access token.
- The client sends the access token to Azure API Management.
- Azure API Management verifies the token against the identity provider.
- If valid, the request is allowed; otherwise, it is denied.
Setting Up Your Azure Environment
Step 1: Registering Applications in Azure Active Directory
To secure your backend API with OAuth, you need to register your client applications. Here's how to do it:
- Go to Azure Active Directory in your Azure portal.
- Navigate to App registrations and register two applications:
- The first application represents Azure API Management (e.g., named "API").
- The second application represents the actual client (e.g., named "APIM iPhone User").
- For the first application (API), set the Application ID URI and create the necessary app roles (e.g., a "reader" role).
- For the client application, set permissions to access the backend API and assign the previously created roles.
- Remember to grant admin consent for the permissions assigned.
Step 2: Creating Client Credentials
After registering the applications, create a client secret:
- Go to the client application in Azure AD.
- Under Certificates & secrets, add a new client secret and save the value securely as it will not be shown again.
- Grab the Client ID from the overview section for later use.
Protecting Your Backend API
Step 3: Adding the Backend API in API Management
Now that the client and backend applications are ready, we can proceed to add the backend API to Azure API Management:
- In API Management, select APIs and choose to add your backend API.
- Select the function app you created as the backend and link it to your API Management service.
- Perform a quick test to verify that the API is working correctly by returning a simple JSON message.
Step 4: Implementing OAuth in API Management
To protect your backend API using OAuth, add a policy to enable OAuth authentication:
- Go to the design tab of your API and find the inbound policy section.
- Add a policy to validate the authorization header bearer token.
- The policy will check for a valid token and allow or deny access based on the validation result.
Testing Your API Security
Using Postman to Obtain an Access Token
- Open Postman and configure it to use Azure Active Directory as the identity provider.
- Set the token endpoint URL and include the grant type as
client_credentials
. - Add your client ID, client secret, and the appropriate scope for the API.
- Send the request to obtain the access token.
Testing API Access with the Token
- In Postman, use the API management service to test your API with and without the access token.
- Send a request without the access token and observe that it returns a
401 Unauthorized
error. - Next, send the request with the valid
Bearer
token to access the API successfully. - If you supply an incorrect token, it will again return a
401 Unauthorized
response, demonstrating the security in place.
Conclusion
In this tutorial, we explored how to protect your APIs in Azure API Management using OAuth, ensuring that access is granted only to authorized users. We covered:
- Overview of Azure API Management and its purpose
- The OAuth workflow and its components
- Steps to register applications and configure OAuth in Azure
- How to test API security using Postman
By following these steps, you will secure your APIs effectively and enhance the overall integrity of your applications. If you found this tutorial helpful, please subscribe, like, and share the video. Thank you for watching, and until the next time, stay secure!
hello and welcome to my YouTube channel in this video we are going to learn about protecting your apis in Azure API
management using oauth by end of this tutorial you will be able to secure your apis in Azure API management with oauth
intro to Azure API management and oauth Azure API management is a fully managed service that helps you create publish
and manage apis for your applications it provides you with various tools and features to make sure your APS are
secure scalable and easy to use I have made a series of videos on Azure API management I will leave the links in
the description below you can go over there now let's talk about oauth oauth is an open standard for authorization
which allows third-party applications to access your apis securely without sharing user credentials
by using oauth you can provide granular access to your apis ensuring only authorized users and applications can
access your protector resources now let's look at the watch flow in the workflow the client never uses the
username and password to access the backend API instead he uses the access token which is obtained from the
identity provider client passes client ID and client secret to the identity provider to obtain the access token this
access token is passed to API management then the API management validates the access token against the identity
provider if the access token is valid the request is served otherwise the request is denied now let's look at this
in the demo I'm in my Azure portal I have already created couple of resources I have created Azure API Management
Service I have also created a simple API Azure function which returns a simple Json response message this will act as a
backend API for our demo which will be fronting with Azure API management and we will protect this backend API using
the oauth to begin with first what we have to do is we have to register the client applications for that go to Azure
active directory in app registration first we have to register two applications the first application which
represents Azure API management let's name it as API this application represents the actual apim results leave
everything to the default and register we have the resource application ready now go to expose API and set the
application ID URI hit save and copy the URI for the letter use and go to the app roles just let's create some app roles
in our case we are simply reading the message so it's like a reader an application and the value will be the
reader these role details will be passed to the backend API as part of your access token reader and apply okay we
have an application ready which represents the actual API now let's create another application for the
actual client just want to call it as apim iPhone user leave everything to the default and click on create we have
another application ready go to apa permissions add permission missions assign the permissions on our backend
API yes we wanted to give the reader access here for your backend API you have apim iPhone resource application
which represents actual backend API and it has certain roles now you can have a different application registered for
different consumers and you can select the permissions differently for reach consumers this permission will be passed
as part of the access token to your backend API add permissions just don't forget to Grant admin consent because we
are using Azure API management we also need to give access to Microsoft graph application permissions scroll all the
way to the down all it needs is user read and write read all right all just add permissions and Grant admin concept
here as well yeah that's all done now the next thing we need is we have to create a client cycle rate client will
use his client ID and this secret he will pass this information to the authorization provider our identity
provider to obtain the access token let's create a client secret description can be secret simply and leave
everything to the default click on ADD so we have the secret ready just make sure you copy it because once it is gone
it is gone you can't access it again now if you go to the overview you have the client ID as well just grab the client
ID we're going to pass the client ID and client Secret to obtain the access token we have the
client registered we have the backend app registered now if you go to API management apis let's add our backend
API as one of the API here we can directly pick it from the function app because it's a function app browse in
the search filter in facto select sample API select create we have the sample API added here we can simply go here and do
a quick test to see if it works yes this is working HTTP 200 okay and we got the message now to protect this API using
oauth what we can do is go to the design and in the inbound policy we can add a policy to enable the what all we have to
do is we just have to add this piece of the policy in the inbound policies this will enable the oauth authentication
what this policy will do is this policy will look for authorization position header barrier token and validate the
token against the identity provider we can also configure this in the name value collection if you want we can
is our scope we have added app scope as a name value and if we go to our API and Factory API sample API now we have
successfully configured oauth to protect this backend API let's test our changes let's bring up the postman so let's
obtain the token to obtain the token as we have used Azure active directory as an identity provider this is the token
in point and this is your tenant ID we have to pass the grant type as client credential because it is just to protect
the backend API and we need just access token and we pass the client ID and client and secret of the consumer then
the scope this is the apim resource scope which we have registered initially so we have to pass the scope this is the
API M scope if you hit send we should be able to retrieve the access token yes we got the access token if we use this
access token we will be able to access our Azure function if I go back to our API management and test console here
let's see what happens if we hit send directly without passing the access token now that we have configured it
with the JWT token it should validate so it should come back with 401 unauthorized because we haven't passed
any access token 2 to access the API let's pass the access token now in headers we add it as an authorization
header authorization and the value is Bearer space your actual token and hit send we are able to successfully access
the Azure function Now by passing the barrier token if you mess up the barrier token for example let's say just to
prove the point just put in something here and you just hit send and boom it will fail 401 so it will validate your
access token against the identity provider in our case Azure active directory and when the token is valid
that is when it will allow the or it will pass the request to the backend API we you can even inspect the access token
using if you go to um JWT slash Ms you can simply is inspect your access token see it has our
scope and all the information even the roles and everything the backend API the role information is passed to the
backend API the backend API can use this role information for further processing if you like the content Please Subscribe
like comment and share the video I will catch you in the next one until then this is signing off thank you