How to get a secure access token programatically?

Mariusz Klimek 21 Reputation points
2020-01-28T10:29:06.317+00:00

I'm trying to implement Azure Active Directory in my API Management instance using the Protect an API by using OAuth 2.0 with Azure Active Directory and API Management doc as a guideline. The doc suggests that in order to get the access token I need to use the Developer Portal.

My problem is: An external application is going to communicate with API Management.

Is there a way to omit the Developer Portal and get the access token programmatically?

I already received a suggestion via Stack Overflow that I can achieve this via a Powershell script, but I'm afraid that's not really the best option I can hope for.

I'm afraid I'm fairly new to AAD, so I'm not sure what is the best course of action (B2C or anything else).

Please advise.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,139 questions
0 comments No comments
{count} votes

Accepted answer
  1. FrankHu-MSFT 976 Reputation points
    2020-01-28T19:26:35.267+00:00

    Hey @Mariusz Klimek per the doc it says in order to build an application to call the API you will need to follow one of the samples here : https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v1-code

    Essentially what you need to do is to follow the Auth code flow, to get an access token with the permission to your API protected by APIM. Per the docs at the point of : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#grant-permissions-in-azure-ad

    Under Select an API, select My APIs, and then find and select your backend-app.
    Under Delegated Permissions, select the appropriate permissions to your backend-app, then select Add permissions.

    Depending on whether you're using the v1 or v2 endpoint. For the v2 endpoint you'll want to follow the Auth Code flow documented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

    with the scope .default for your application.

    For the v1 endpoint you can follow the doc here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

    I would suggest utilizing the v2 endpoint as that's where all aad development is going towards. In addition to that, you can utilize the MSAL library to get the access token more quickly/easily as the developer experience team is dedicated to helping simplify the complexities of the AAD Access Token Acquisition process.

    The ADAL(v1.0) libraries are found here : https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
    The MSAL(v2.0) libraries are found here : https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries

    In each of the github repos there is a wiki describing how the library works. I would suggest taking a look at that for further help, as it should be straightforward on how to use the MSAL library.

    Please take a look at the wiki for MSAL .net here for an example: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki

    Typically the .net libraries are the most well documented in MSAL/ADAL so I suggest starting there to understand the libraries.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful