Authorization Server - Create Or Update

Service:

API Management

API Version:

2022-08-01

Creates new authorization server or updates an existing authorization server.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/authorizationServers/{authsid}?api-version=2022-08-01

URI Parameters

Name	In	Required	Type	Description
authsid	path	True	string	Identifier of the authorization server. Regex pattern: ^[^*#&+:<>?]+$
resourceGroupName	path	True	string	The name of the resource group. The name is case insensitive.
serviceName	path	True	string	The name of the API Management service. Regex pattern: ^[a-zA-Z](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$
subscriptionId	path	True	string	The ID of the target subscription.
api-version	query	True	string	The API version to use for this operation.

Request Header

Name	Required	Type	Description
If-Match		string	ETag of the Entity. Not required when creating an entity, but required when updating an entity.

Request Body

Name	Required	Type	Description
properties.authorizationEndpoint	True	string	OAuth authorization endpoint. See http://tools.ietf.org/html/rfc6749#section-3.2.
properties.clientId	True	string	Client or app id registered with this authorization server.
properties.clientRegistrationEndpoint	True	string	Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.
properties.displayName	True	string	User-friendly authorization server name.
properties.grantTypes	True	GrantType[]	Form of an authorization grant, which the client uses to request the access token.
properties.authorizationMethods		AuthorizationMethod[]	HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional.
properties.bearerTokenSendingMethods		BearerTokenSendingMethod[]	Specifies the mechanism by which access token is passed to the API.
properties.clientAuthenticationMethod		ClientAuthenticationMethod[]	Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format.
properties.clientSecret		string	Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value.
properties.defaultScope		string	Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.
properties.description		string	Description of the authorization server. Can contain HTML formatting tags.
properties.resourceOwnerPassword		string	Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.
properties.resourceOwnerUsername		string	Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.
properties.supportState		boolean	If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.
properties.tokenBodyParameters		TokenBodyParameterContract[]	Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}.
properties.tokenEndpoint		string	OAuth token endpoint. Contains absolute URI to entity being referenced.
properties.useInApiDocumentation		boolean	If true, the authorization server will be used in the API documentation in the developer portal. False by default if no value is provided.
properties.useInTestConsole		boolean	If true, the authorization server may be used in the developer portal test console. True by default if no value is provided.

Responses

Name	Type	Description
200 OK	AuthorizationServerContract	Authorization server is already registered. Headers ETag: string
201 Created	AuthorizationServerContract	Authorization server was successfully registered. Headers ETag: string
Other Status Codes	ErrorResponse	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

ApiManagementCreateAuthorizationServer

Sample Request

HTTP

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/authorizationServers/newauthServer?api-version=2022-08-01

{
  "properties": {
    "displayName": "test2",
    "useInTestConsole": false,
    "useInApiDocumentation": true,
    "description": "test server",
    "clientRegistrationEndpoint": "https://www.contoso.com/apps",
    "authorizationEndpoint": "https://www.contoso.com/oauth2/auth",
    "authorizationMethods": [
      "GET"
    ],
    "tokenEndpoint": "https://www.contoso.com/oauth2/token",
    "supportState": true,
    "defaultScope": "read write",
    "grantTypes": [
      "authorizationCode",
      "implicit"
    ],
    "bearerTokenSendingMethods": [
      "authorizationHeader"
    ],
    "clientId": "1",
    "clientSecret": "2",
    "resourceOwnerUsername": "un",
    "resourceOwnerPassword": "pwd"
  }
}

Java

import com.azure.resourcemanager.apimanagement.models.AuthorizationMethod;
import com.azure.resourcemanager.apimanagement.models.BearerTokenSendingMethod;
import com.azure.resourcemanager.apimanagement.models.GrantType;
import java.util.Arrays;

/** Samples for AuthorizationServer CreateOrUpdate. */
public final class Main {
    /*
     * x-ms-original-file: specification/apimanagement/resource-manager/Microsoft.ApiManagement/stable/2022-08-01/examples/ApiManagementCreateAuthorizationServer.json
     */
    /**
     * Sample code: ApiManagementCreateAuthorizationServer.
     *
     * @param manager Entry point to ApiManagementManager.
     */
    public static void apiManagementCreateAuthorizationServer(
        com.azure.resourcemanager.apimanagement.ApiManagementManager manager) {
        manager
            .authorizationServers()
            .define("newauthServer")
            .withExistingService("rg1", "apimService1")
            .withDisplayName("test2")
            .withUseInTestConsole(false)
            .withUseInApiDocumentation(true)
            .withClientRegistrationEndpoint("https://www.contoso.com/apps")
            .withAuthorizationEndpoint("https://www.contoso.com/oauth2/auth")
            .withGrantTypes(Arrays.asList(GrantType.AUTHORIZATION_CODE, GrantType.IMPLICIT))
            .withClientId("1")
            .withClientSecret("2")
            .withDescription("test server")
            .withAuthorizationMethods(Arrays.asList(AuthorizationMethod.GET))
            .withTokenEndpoint("https://www.contoso.com/oauth2/token")
            .withSupportState(true)
            .withDefaultScope("read write")
            .withBearerTokenSendingMethods(Arrays.asList(BearerTokenSendingMethod.AUTHORIZATION_HEADER))
            .withResourceOwnerUsername("un")
            .withResourceOwnerPassword("pwd")
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Python

from typing import Any, IO, Union

from azure.identity import DefaultAzureCredential

from azure.mgmt.apimanagement import ApiManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-apimanagement
# USAGE
    python api_management_create_authorization_server.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = ApiManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subid",
    )

    response = client.authorization_server.create_or_update(
        resource_group_name="rg1",
        service_name="apimService1",
        authsid="newauthServer",
        parameters={
            "properties": {
                "authorizationEndpoint": "https://www.contoso.com/oauth2/auth",
                "authorizationMethods": ["GET"],
                "bearerTokenSendingMethods": ["authorizationHeader"],
                "clientId": "1",
                "clientRegistrationEndpoint": "https://www.contoso.com/apps",
                "clientSecret": "2",
                "defaultScope": "read write",
                "description": "test server",
                "displayName": "test2",
                "grantTypes": ["authorizationCode", "implicit"],
                "resourceOwnerPassword": "pwd",
                "resourceOwnerUsername": "un",
                "supportState": True,
                "tokenEndpoint": "https://www.contoso.com/oauth2/token",
                "useInApiDocumentation": True,
                "useInTestConsole": False,
            }
        },
    )
    print(response)


# x-ms-original-file: specification/apimanagement/resource-manager/Microsoft.ApiManagement/stable/2022-08-01/examples/ApiManagementCreateAuthorizationServer.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armapimanagement_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/apimanagement/armapimanagement/v2"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/4cd95123fb961c68740565a1efcaa5e43bd35802/specification/apimanagement/resource-manager/Microsoft.ApiManagement/stable/2022-08-01/examples/ApiManagementCreateAuthorizationServer.json
func ExampleAuthorizationServerClient_CreateOrUpdate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armapimanagement.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAuthorizationServerClient().CreateOrUpdate(ctx, "rg1", "apimService1", "newauthServer", armapimanagement.AuthorizationServerContract{
		Properties: &armapimanagement.AuthorizationServerContractProperties{
			Description: to.Ptr("test server"),
			AuthorizationMethods: []*armapimanagement.AuthorizationMethod{
				to.Ptr(armapimanagement.AuthorizationMethodGET)},
			BearerTokenSendingMethods: []*armapimanagement.BearerTokenSendingMethod{
				to.Ptr(armapimanagement.BearerTokenSendingMethodAuthorizationHeader)},
			DefaultScope:               to.Ptr("read write"),
			ResourceOwnerPassword:      to.Ptr("pwd"),
			ResourceOwnerUsername:      to.Ptr("un"),
			SupportState:               to.Ptr(true),
			TokenEndpoint:              to.Ptr("https://www.contoso.com/oauth2/token"),
			AuthorizationEndpoint:      to.Ptr("https://www.contoso.com/oauth2/auth"),
			ClientID:                   to.Ptr("1"),
			ClientRegistrationEndpoint: to.Ptr("https://www.contoso.com/apps"),
			ClientSecret:               to.Ptr("2"),
			DisplayName:                to.Ptr("test2"),
			GrantTypes: []*armapimanagement.GrantType{
				to.Ptr(armapimanagement.GrantTypeAuthorizationCode),
				to.Ptr(armapimanagement.GrantTypeImplicit)},
			UseInAPIDocumentation: to.Ptr(true),
			UseInTestConsole:      to.Ptr(false),
		},
	}, &armapimanagement.AuthorizationServerClientCreateOrUpdateOptions{IfMatch: nil})
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.AuthorizationServerContract = armapimanagement.AuthorizationServerContract{
	// 	Name: to.Ptr("newauthServer"),
	// 	Type: to.Ptr("Microsoft.ApiManagement/service/authorizationServers"),
	// 	ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/authorizationServers/newauthServer"),
	// 	Properties: &armapimanagement.AuthorizationServerContractProperties{
	// 		Description: to.Ptr("test server"),
	// 		AuthorizationMethods: []*armapimanagement.AuthorizationMethod{
	// 			to.Ptr(armapimanagement.AuthorizationMethodGET)},
	// 			BearerTokenSendingMethods: []*armapimanagement.BearerTokenSendingMethod{
	// 				to.Ptr(armapimanagement.BearerTokenSendingMethodAuthorizationHeader)},
	// 				DefaultScope: to.Ptr("read write"),
	// 				ResourceOwnerPassword: to.Ptr("pwd"),
	// 				ResourceOwnerUsername: to.Ptr("un"),
	// 				SupportState: to.Ptr(true),
	// 				TokenEndpoint: to.Ptr("https://www.contoso.com/oauth2/token"),
	// 				AuthorizationEndpoint: to.Ptr("https://www.contoso.com/oauth2/auth"),
	// 				ClientID: to.Ptr("1"),
	// 				ClientRegistrationEndpoint: to.Ptr("https://www.contoso.com/apps"),
	// 				DisplayName: to.Ptr("test2"),
	// 				GrantTypes: []*armapimanagement.GrantType{
	// 					to.Ptr(armapimanagement.GrantTypeAuthorizationCode),
	// 					to.Ptr(armapimanagement.GrantTypeImplicit)},
	// 					UseInAPIDocumentation: to.Ptr(true),
	// 					UseInTestConsole: to.Ptr(false),
	// 				},
	// 			}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { ApiManagementClient } = require("@azure/arm-apimanagement");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Creates new authorization server or updates an existing authorization server.
 *
 * @summary Creates new authorization server or updates an existing authorization server.
 * x-ms-original-file: specification/apimanagement/resource-manager/Microsoft.ApiManagement/stable/2022-08-01/examples/ApiManagementCreateAuthorizationServer.json
 */
async function apiManagementCreateAuthorizationServer() {
  const subscriptionId = process.env["APIMANAGEMENT_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["APIMANAGEMENT_RESOURCE_GROUP"] || "rg1";
  const serviceName = "apimService1";
  const authsid = "newauthServer";
  const parameters = {
    description: "test server",
    authorizationEndpoint: "https://www.contoso.com/oauth2/auth",
    authorizationMethods: ["GET"],
    bearerTokenSendingMethods: ["authorizationHeader"],
    clientId: "1",
    clientRegistrationEndpoint: "https://www.contoso.com/apps",
    clientSecret: "2",
    defaultScope: "read write",
    displayName: "test2",
    grantTypes: ["authorizationCode", "implicit"],
    resourceOwnerPassword: "pwd",
    resourceOwnerUsername: "un",
    supportState: true,
    tokenEndpoint: "https://www.contoso.com/oauth2/token",
    useInApiDocumentation: true,
    useInTestConsole: false,
  };
  const credential = new DefaultAzureCredential();
  const client = new ApiManagementClient(credential, subscriptionId);
  const result = await client.authorizationServer.createOrUpdate(
    resourceGroupName,
    serviceName,
    authsid,
    parameters
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

201

{
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/authorizationServers/newauthServer",
  "type": "Microsoft.ApiManagement/service/authorizationServers",
  "name": "newauthServer",
  "properties": {
    "displayName": "test2",
    "useInTestConsole": false,
    "useInApiDocumentation": true,
    "description": "test server",
    "clientRegistrationEndpoint": "https://www.contoso.com/apps",
    "authorizationEndpoint": "https://www.contoso.com/oauth2/auth",
    "authorizationMethods": [
      "GET"
    ],
    "tokenEndpoint": "https://www.contoso.com/oauth2/token",
    "supportState": true,
    "defaultScope": "read write",
    "grantTypes": [
      "authorizationCode",
      "implicit"
    ],
    "bearerTokenSendingMethods": [
      "authorizationHeader"
    ],
    "clientId": "1",
    "resourceOwnerUsername": "un",
    "resourceOwnerPassword": "pwd"
  }
}

Status code:

200

{
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/authorizationServers/newauthServer",
  "type": "Microsoft.ApiManagement/service/authorizationServers",
  "name": "newauthServer",
  "properties": {
    "displayName": "test2",
    "useInTestConsole": false,
    "useInApiDocumentation": true,
    "description": "test server",
    "clientRegistrationEndpoint": "https://www.contoso.com/apps",
    "authorizationEndpoint": "https://www.contoso.com/oauth2/auth",
    "authorizationMethods": [
      "GET"
    ],
    "tokenEndpoint": "https://www.contoso.com/oauth2/token",
    "supportState": true,
    "defaultScope": "read write",
    "grantTypes": [
      "authorizationCode",
      "implicit"
    ],
    "bearerTokenSendingMethods": [
      "authorizationHeader"
    ],
    "clientId": "1",
    "resourceOwnerUsername": "un",
    "resourceOwnerPassword": "pwd"
  }
}

Definitions

Name	Description
AuthorizationMethod	HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional.
AuthorizationServerContract	External OAuth authorization server settings.
BearerTokenSendingMethod	Specifies the mechanism by which access token is passed to the API.
ClientAuthenticationMethod	Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format.
ErrorFieldContract	Error Field contract.
ErrorResponse	Error Response.
GrantType	Form of an authorization grant, which the client uses to request the access token.
TokenBodyParameterContract	OAuth acquire token request body parameter (www-url-form-encoded).

AuthorizationMethod

HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional.

Name	Type	Description
DELETE	string
GET	string
HEAD	string
OPTIONS	string
PATCH	string
POST	string
PUT	string
TRACE	string

AuthorizationServerContract

External OAuth authorization server settings.

Name	Type	Description
id	string	Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
name	string	The name of the resource
properties.authorizationEndpoint	string	OAuth authorization endpoint. See http://tools.ietf.org/html/rfc6749#section-3.2.
properties.authorizationMethods	AuthorizationMethod[]	HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional.
properties.bearerTokenSendingMethods	BearerTokenSendingMethod[]	Specifies the mechanism by which access token is passed to the API.
properties.clientAuthenticationMethod	ClientAuthenticationMethod[]	Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format.
properties.clientId	string	Client or app id registered with this authorization server.
properties.clientRegistrationEndpoint	string	Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.
properties.clientSecret	string	Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value.
properties.defaultScope	string	Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.
properties.description	string	Description of the authorization server. Can contain HTML formatting tags.
properties.displayName	string	User-friendly authorization server name.
properties.grantTypes	GrantType[]	Form of an authorization grant, which the client uses to request the access token.
properties.resourceOwnerPassword	string	Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.
properties.resourceOwnerUsername	string	Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.
properties.supportState	boolean	If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.
properties.tokenBodyParameters	TokenBodyParameterContract[]	Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}.
properties.tokenEndpoint	string	OAuth token endpoint. Contains absolute URI to entity being referenced.
properties.useInApiDocumentation	boolean	If true, the authorization server will be used in the API documentation in the developer portal. False by default if no value is provided.
properties.useInTestConsole	boolean	If true, the authorization server may be used in the developer portal test console. True by default if no value is provided.
type	string	The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

BearerTokenSendingMethod

Specifies the mechanism by which access token is passed to the API.

Name	Type	Description
authorizationHeader	string
query	string

ClientAuthenticationMethod

Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format.

Name	Type	Description
Basic	string	Basic Client Authentication method.
Body	string	Body based Authentication method.

ErrorFieldContract

Error Field contract.

Name	Type	Description
code	string	Property level error code.
message	string	Human-readable representation of property-level error.
target	string	Property name.

ErrorResponse

Error Response.

Name	Type	Description
error.code	string	Service-defined error code. This code serves as a sub-status for the HTTP error code specified in the response.
error.details	ErrorFieldContract[]	The list of invalid fields send in request, in case of validation error.
error.message	string	Human-readable representation of the error.

GrantType

Form of an authorization grant, which the client uses to request the access token.

Name	Type	Description
authorizationCode	string	Authorization Code Grant flow as described https://tools.ietf.org/html/rfc6749#section-4.1.
clientCredentials	string	Client Credentials Grant flow as described https://tools.ietf.org/html/rfc6749#section-4.4.
implicit	string	Implicit Code Grant flow as described https://tools.ietf.org/html/rfc6749#section-4.2.
resourceOwnerPassword	string	Resource Owner Password Grant flow as described https://tools.ietf.org/html/rfc6749#section-4.3.

TokenBodyParameterContract

OAuth acquire token request body parameter (www-url-form-encoded).

Name	Type	Description
name	string	body parameter name.
value	string	body parameter value.