Authenticate Azure API Management with OAuth2 using Azure AD

Question

I am trying to secure APIM APIs using OAuth2 via AzureAD by reading the article: Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD

AzureAPIM - OAuth2

• Authorization endpoint URL (v1): https://login.microsoftonline.com/{tenant}/oauth2/authorize
• Token endpoint URL (v1): https://login.microsoftonline.com/{tenant}/oauth2/token
• Client ID: client-app id
• Redirect URI: (deprecated portal): https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback

AzureAD - backend-app:

• scope: Files.All

AzureAD - client-app:

• secret key: xxx
• Redirect url: ONLY WORK with deprecated portal in APIM (https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback)

For Demo Conference API, Add Validate JWT policy to Inbound processing where 3a0cf09b- is tenant id and b7c31179- is backend-app application id:

In Developer portal, the authentication to AzureAD is successful with a return token:

However the authorization is failed with calling the API:

Inspecting the received token in jwt.io, I found that the "aud": "00000003-0000-0000-c000-000000000000" is not backend-app application id:

{
  "aud": "00000003-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/3a0cf09b-xxx/",
  "app_displayname": "client-app",
  "appid": "05a245fb-xxx",
  "scp": "Files.Read User.Read profile openid email",
  "tenant_region_scope": "OC",
  "tid": "3a0cf09b-2952-4673-9ace-0e1bf69ee23a",
  "unique_name": "user1@xxx.onmicrosoft.com",
}

API Test HTTP response trace shows the error on validate-jwt:

validate-jwt (-0.138 ms)
{
    "message": "JWT Validation Failed: Claim value mismatch: aud=b7c31179-xxx.."
}

Replacing aud by the value in the token 00000003-0000-0000-c000-000000000000 or removing the required-claims in the validate-jwt policy to get it working.

Any idea please?

Answer 1

It seems you choose v1 endpoint of OAuth2 authorization but not v2 endpoint, so the value of aud in access token should be like b7c31179-xxxx.... but not api://b7c31179-xxxx..... So there are no mistakes in your steps of get access token.

According to some test in my side, the cause of this problem is you did not specify a parameter resource with the value of the backend-app application id when you configure OAuth2.0 in your APIM. The document you refer to also mentions this (I test with not specify this parameter, it shows same problem with yours)

So to solve this problem, please go to your APIM and click "OAuth 2.0" tab, edit the item you created. Add a parameter resource with value of the backend-app application id.

Note: When you add the parameter resource and click "Save" button, please open the item again and check if the "Client secret" box is empty. When I test in my side, the "Client secret" box shows empty after add parameter resource, it may be a bug on that page. If "Client secret" is empty, it might show error message like The request body must contain the following parameter: 'client_assertion' or 'client_secret' when you get the access token in Developer portal.

Answer 2

From your error report, it is indeed a 401 error, that is, your aud does not match the api you want to call, I use the auth code flow to do a simple demonstration for you:

First expose the api of the back-end application and add the client application.

Next,under 'API permissions', give your front-end application access to your backend api:

• Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
• Find your backend application and select the appropriate scope.
• Click 'Add permissions'.
• Grant admin consent for your APIs.

Get token:

Parse the token：