Problems with Azure API Management Authorization

Question

The attached screenshots summarize the problems encountered when trying to authorize application objects registered in Azure (App Registration) to obtain OAuth2 access codes.

Step 1: Two apps are registered with the WeatherAPI representing the API resource while the WeatherConsumer is the client

Step 2: The intention is for the WeatherConsumer app to obtain an OAuth2 access code from the WeatherAPI app.

Step 3: The relevant section of the WeatherAPI app manifest is as follows:

{
"id": "2fcea6f6-57e4-4fad-925e-9da02053ebb8",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "15260e57-4d7e-4fa9-b33f-33c60d67e8e7",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Consumer apps shall have access to read only static data for a single weather station.",
"displayName": "ReadSingle",
"id": "0bb031c1-5c54-45d4-a23d-02aaa7dfe8bb",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Weather.ReadSingle"
},
{
"allowedMemberTypes": [
"Application"
],
"description": "Consumer apps have shall accesss to reall all data",
"displayName": "ReadAll",
"id": "3dca5e66-a39a-4c0f-81e4-5b593d39b6d7",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Weather.ReadAll"
}
],

The request I submit to Azure to get the authorization from Azure is as depicted in the Postman screenshot, whereby the client_id and the client_secret are those belonging to the WeatherAPI app. Further, the scope in the request is of the format api://{applicationID}/.default with the {applicationID} replaced with that of the WeatherConsumer app.

I am able to submit the request without any errors as per the screenshot but no authorization code is returned. Any help would be appreciated.

Answer 1

Hi @Chroafjd ,

Thanks for reaching out.

I understand that you want to call protected Web API from the web Application and trying to get the token using Authorization Code Flow.

The authorization grant flow is used to get the access token to call protected resources Web API mainly from web applications, Single Page applications for signed in user.

In Authorization grant flow, there are two steps involved to get the access token.

1. Call authorize endpoint to get the short-lived code through the browser as user sign in is required https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

As you might noticed in your postman, when you are calling authorize endpoint, you might get successful response but in response it asking to “Sign into your account”.

Also, I noticed the client_id you are passing in the request is not matching with your application id of client application. You need to set all the below parameter correctly to get the authorize code

client_id : application id of client application
response_type : code
redirect_uri : where code need to send. It should match with the redirect URI you mentioned in the portal while registering the application.
Scope : permission API can expose to
Response_mode : how requested token should return

After passing all the parameter correctly, URL need to paste in browser for signed in user to accept the permissions and you will get code in query along with redirect URI you mentioned in the request.

2.Now that you've acquired an authorization_code and have been granted permission by the user. You can call token endpoint to get access token from code https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token endpoint.

Here the client_id and client_secret is of your client application which is requesting access token to call protected API.

In the scope, you need to mention the permissions an API can expose to. As mentioned by you, scopes of your web API have been defined which need to add to client application as below:

Client application call APIs on behalf of the signed-in user. To do that, they must request delegated permissions.

Client Application ->API Permissions->Add a permission->My APIs

Hope this will help to get the access token using authorization grant flow. If you have any further question on this, do let me know.

Thanks,
Shweta

--------------------------------

Please remember to "Accept Answer" if answer helped you.

Answer 2

Dear @Shweta Mathur ,

Many thanks for your detailed response to the question I raised last week regarding "Azure API Management Authorization". I've taken a close look at it and found it helpful.

Just to summarise what I've done so far:

Setup

1. I've setup a Client App (WeatherConsumer) and a backenend App (WeatherAPI) using the App Registration feature of Azure
2. The appropriate permissions were set in the Client App using the (API Permissions) feature (see relevant attachment)
3. In Azure API Management Services I then proceeded to enable OAuth 2.0 in the Security section of the backend app settings.

Postman Client Tests
Following the above setup I proceeded to conduct the following tests with Postman client

4. Authorize request as per the relevant attachment: I didn't have an error, but I am not sure whether what I obtained is the right result.
5. Token request as per the relevant attachment: As is evident from the screenshot I did obtain an access token Backend App Test in Azure API Management Services

Finally, I proceeded to test the Backend App by invoking one of the API methods as per the attached screenshots. Unfortunately the request failed its validation and I ended up with a "401. Unauthorized" response indicating that the access token is invalid.

I would be grateful if you could give me some pointers where I could be going wrong with my setup and tests, and thank you in anticipation for your response.

Answer 3

Chroafjd-0699,
Thanks for the update.

I have gone through the screen shots provided by you and understand you are trying to get access token using Authorization Grant flow.

As I mentioned earlier as well, there are two endpoints to get the access token in authorization grant flow.

1. https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? to get the code which is used to get the access token.
2. https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token to get the access token based on provided parameters

But as per screen shot, to get the access token you have provided grant_type client-credential which is different OAuth flow to get the token and do not require code retrieved from authorize endpoint using user’s interaction.

Client credential flow is commonly used for server-to-server interactions that run in the background and do not require any user’s interaction.
Also, the permission provided in the first screen shot is of Application type which is used in case of client credential flow and permissions need to grant directly to the application itself by an administrator.

For OAuth flows which require user’s consent, delegated permissions are required. Please refer permission types provided by Microsoft Identity Platform.

In the above answer I have mentioned the Authorization flow to get the access token. I would suggest to again check the permissions assigned to the application and parameters to get the access token.

If you need any other help around this. Please let me know.

Thanks,
Shweta

-------------------------------------------

Please remember to "Accept Answer" if answer helped you.