Question for OAuth setting for "Try me" function in APIM developer portal

curious7 281 Reputation points
2026-07-17T00:12:05.2333333+00:00

I am working on a APIM deployment that will have developer portal available to developers. Login to portal will only allow Azure B2C accounts and thus will have OAuth already performed. On the APIM instance settings in Azure portal the "OAuth 2.0 + OpenID Connect" section has a option to create OAuth server for B2C, which then can be used for each API. The "try me" function for that API in the developer portal can then use this OAuth server to perform OAuth and use the token.

 

As we have already performed OAuth for developer portal login itself, so I don't want users to perform OAuth twice for better user experience.

 

But one thing I am unsure off is if either there is a global jwt token validation policy or a API specify jwt policy requiring OAuth tokens, then if I don't set the OAuth for "Try me" function, will that succeed or fail? And are there any other security/general concerns if we don't set the OAuth for "Try me" function in developer portal.

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

0 comments No comments

2 answers

Sort by: Most helpful
  1. Christos Panagiotidis 1,681 Reputation points
    2026-07-18T06:56:00.5033333+00:00

    Portal sign-in and API authorization are separate. The B2C token for the portal session is issued to the portal client and should not be reused for the backend API; its audience and scopes differ. Configure OAuth for Try it and associate it with the API. An active B2C browser session may reuse single sign-on, so the user often will not re-enter credentials, while the console still obtains the API access token.

    If Try it is unconfigured, the console does not add an Authorization header. Any global, product, API, or operation-level JWT validation policy expecting that header returns 401 unless a token is supplied manually.

    Use a separate test-console client registration, authorization code with PKCE, exact API scopes and audience, a redirect URI, and least privilege. Keep token validation at the gateway: test-console OAuth only obtains the token; it does not enforce security. Configure CORS narrowly for the developer portal origin.

    Was this answer helpful?

    0 comments No comments

  2. Pravallika KV 18,260 Reputation points Microsoft External Staff Moderator
    2026-07-17T02:14:09.1866667+00:00

    Hi @curious7 ,

    APIM's Developer Portal "Try it" feature can add an Authorization header by obtaining an access token from a configured OAuth 2.0/OpenID Connect authorization server.

    After you configure an OAuth 2.0 authorization server and enable it for an API:

    • A user can authorize access through the Try it console.

    APIM acquires an access token from the configured identity provider.

    The access token is automatically added to the request's Authorization header when the API call is executed.

    It is important to note that Developer Portal authentication and API authentication are separate security contexts. Even if users sign in to the Developer Portal using Azure AD B2C, that sign-in token is not automatically forwarded to API requests made through the Try it console.

    If you don't configure OAuth for "Try it", will it succeed?

    Case A – API requires OAuth/JWT validation

    If your API (or a global/APIM policy) enforces JWT validation using a validate-jwt policy, the request must include a valid bearer token. Without a valid Authorization header, the request will be rejected by APIM or the backend API (typically with a 401 Unauthorized response).

    In this scenario, if OAuth is not configured for Try it, users would need to manually provide a valid access token; otherwise, the request will fail.

    Case B – API does not require OAuth/JWT validation

    If the API does not validate access tokens (or uses another authentication mechanism), the Try it console can still invoke the API successfully without OAuth configuration.

    Security considerations

    Not configuring OAuth for Try it does not introduce a security risk by itself. The primary impact is on usability:

    Protected APIs cannot be tested directly unless users manually provide a valid token.

    Requests without valid tokens will be rejected when JWT validation is enforced.

    The main consequence is a less streamlined developer experience rather than reduced security.

    Therefore, if your APIs require JWT validation and you want developers to use the Try it console seamlessly, configuring an OAuth 2.0/OpenID Connect authorization server in APIM is recommended.

    Hope this helps!


    If the resolution was helpful, kindly take a moment to click on User's imageand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.