Configure identity providers for API authorizations
In this article, you learn about configuring identity providers for authorizations in your API Management instance. Settings for the following common providers are shown:
- Azure AD provider
- Generic OAuth 2.0 provider
You add identity provider settings when configuring an authorization in your API Management instance. For a step-by-step example of configuring an Azure AD provider and authorization, see:
Prerequisites
To configure any of the supported providers in API Management, first configure an OAuth 2.0 app in the identity provider that will be used to authorize API access. For configuration details, see the provider's developer documentation.
If you're creating an authorization that uses the authorization code grant type, configure a Redirect URL (sometimes called Authorization Callback URL or a similar name) in the app. For the value, enterĀ
https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>.Depending on your scenario, configure app settings such as scopes (API permissions).
Minimally, retrieve the following app credentials that will be configured in API Management: the app's client id and client secret.
Depending on the provider and your scenario, you might need to retrieve other settings such as authorization endpoint URLs or scopes.
Azure AD provider
Authorizations support the Azure AD identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols.
- Supported grant types: authorization code, client credentials
Note
Currently, the Azure AD authorization provider supports only the Azure AD v1.0 endpoints.
Azure AD provider settings
| Property | Description | Required | Default |
|---|---|---|---|
| Provider name | Name of authorization provider resource in API Management | Yes | N/A |
| Identity provider | Select Azure Active Directory v1 | Yes | N/A |
| Grant type | The OAuth 2.0 authorization grant type to use Depending on your scenario, select either Authorization code or Client credentials. |
Yes | Authorization code |
| Client id | The application (client) id used to identify the Azure AD app | Yes | N/A |
| Client secret | The client secret used for the Azure AD app | Yes | N/A |
| Login URL | The Azure AD login URL | No | https://login.windows.net |
| Resource URL | The URL of the resource that requires authorization Example: https://graph.microsoft.com |
Yes | N/A |
| Tenant ID | The tenant ID of your Azure Active Directory app | No | common |
| Scopes | One or more API permissions for your Azure AD app, separated by the " " character Example: ChannelMessage.Read.All User.Read |
No | API permissions set in Azure AD app |
Generic OAuth 2.0 providers
Authorizations support two generic providers:
- Generic OAuth 2.0
- Generic OAuth 2.0 with PKCE
A generic provider allows you to use your own OAuth 2.0 identity provider based on your specific needs.
Note
We recommend using the generic OAuth 2.0 with PKCE provider for improved security if your identity provider supports it. Learn more
- Supported grant types: authorization code, client credentials
Generic authorization provider settings
| Property | Description | Required | Default |
|---|---|---|---|
| Provider name | Name of authorization provider resource in API Management | Yes | N/A |
| Identity provider | Select Generic Oauth 2 or Generic Oauth 2 with PKCE. | Yes | N/A |
| Grant type | The OAuth 2.0authorization grant type to use Depending on your scenario and your identity provider, select either Authorization code or Client credentials. |
Yes | Authorization code |
| Authorization URL | The authorization endpoint URL | No | UNUSED |
| Client id | The id used to identify an app to the identity provider's authorization server | Yes | N/A |
| Client secret | The secret used by the app to authenticate with the identity provider's authorization server | Yes | N/A |
| Refresh URL | The URL that your app makes a request to in order to exchange a refresh token for a renewed access token | No | UNUSED |
| Token URL | The URL on the identity provider's authorization server that is used to programmatically request tokens | Yes | N/A |
| Scopes | One or more specific actions the app is allowed to do or information that it can request on a user's behalf from an API, separated by the " " character Example: user web api openid |
No | N/A |
Other identity providers
API Management supports several providers for popular SaaS offerings, such as GitHub. You can select from a list of these providers in the Azure portal when you create an authorization.
Supported grant types: authorization code, client credentials (depends on provider)
Required settings for these providers differ from provider to provider but are similar to those for the generic OAuth 2.0 providers. Consult the developer documentation for each provider.
Next steps
- Learn more about authorizations in API Management.
- Create an authorization for Azure AD or GitHub.
Feedback
Submit and view feedback for