Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue

Karduan 1 Reputation point
2021-08-19T13:16:37.347+00:00

Hi,
I have had been struggling to make my Azure Active Directory Oauth 2.0 Client Credentials Flow work with API Management. but I get authenticated via postman too. But in return I do not get any access token just a bunch of HTML. How can I fix this? The settings of the applications are exactly as per the documents including the validation of JWT Policy.

Please see this image. 124744-azure-ad-token-issue.png

Basically I want my client apps to connect with my azure API's using Oauth 2.o without any consent using provided client id/secret. I'm trying to set this up for now with ECHO API provided out of the box with API Management console.

thanks

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,175 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,122 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,651 Reputation points
    2021-08-19T22:03:25.437+00:00

    Thanks for reaching out.

    To use application permissions with your own API (as opposed to Microsoft Graph), you must first expose the API by defining scopes in the API's app registration in the Azure portal. Then, configure access to the API by selecting those permissions in your client application's app registration. If you haven't exposed any scopes in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.

    124832-image.png

    For an example, if I sent scope parameter with custom name like https://testwebapp.in/.default without configuring same as application ID URI in Azure AD then is an expected behavior and you get error AADSTS500011.

    scope parameter in the request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#application-permissions

    Hope this helps

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Karduan 1 Reputation point
    2021-08-20T05:47:42.887+00:00

    Dear @sikumars-msft,
    Thanks for your kind reply. I had kept struggling and found the way out to make it work. To my surprise, the API management API's with Azure Ad Oauth 2.0 Client Credentials flow worked only with version 1 of the AD not too. Below are the two URL's I used with all older values and scopes and it started working.

    OAuth 2.0 token endpoint (v1)
    https://login.microsoftonline.com/<my-tenant-id>/oauth2/token

    OAuth 2.0 authorization endpoint (v1)
    https://login.microsoftonline.com/<my-tenant-id>/oauth2/authorize

    I saw videos where version two with the same was working for all but not for me. Can this be due to my Free Azure Account with Developer Access?

    But for now, I have another issue poped Up here. I'm now unable to use the validate-jwt policy. This does not work and is always returning

    401, Unauthorized. Access token is missing or invalid.
    

    Here are both of my policies version one and two

    Version 1

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
        <openid-config url="https://login.microsoftonline.com/<TenantID>/.well-known/openid-configuration" />
        <audiences>
            <audience>{Backend-App-ID}</audience>
        </audiences>
        <required-claims>
            <claim name="id" match="all">
                <value>insert claim here</value>
            </claim>
        </required-claims>
    </validate-jwt>
    

    Version 2

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
                <openid-config url="https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration" />
                <required-claims>
                    <claim name="aud">
                        <value>{Backend-App-ID}</value>
                    </claim>
                </required-claims>
            </validate-jwt>
    

    Kindly guide me on this. How can I add policies or fix make version 2 useable? I read on Stackoverflow that Azure AD V2 is not compatible with API Management. But the answer was of 2019.

    Thanks,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.