Azure API Management Client Authentication

Question

I have an API Management resource on Azure which uses an API running as a Kubernetes cluster. I want to have OAuth2.0 authentication for clients/applications which connect to the API management URL. I do not want any user authentication, but only want clients which want to use the URL to send a client ID and client Secret.

How do I do this? I could not find anything related to this in the documentation.

Answer 1

If you dont want user context to be involved, You must prepare client credential flow from Oauth2.0 which uses client id and client secret.

I am explaining using Azure AD.

1) Create Application in Azure AD and get client id and secret (https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/)

2) Call token end point of Azure AD to get secured token (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)

3) Pass this token to APIM using authorize or from any header

4) Validate JWT and check issuer,audience and application level scopes (https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)

Answer 2

No sure what exactly are you asking!

But here are two places where you will find a solution to your question:

• How to secure your backend apis: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
• API Management access restriction policies: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies. More specific here check the Validate JWT (https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)