Context:
My software application is a multi-tenant application that customers can log into and generate their own clientIDs to use with a resource owner password flow OAuth Request.
Our OAuth 2.0 authorization server is built in WebAPI and inherits from the Microsoft provided Microsoft.Owin.Security.OAuth.OAuthAuthorizationServerProvider class. Currently, we only support one flow (resource owner password) to get a token, which looks like:
POST /api/v1.0/token HTTP/1.1 Host: api.mysoftwareapp.com UserName={username}&Password={password}&grant_type=password&client_id={client_id}After we validate the credentials & client ID, we send back an access token generated by the Microsoft.Owin.Security.OAuth.OAuthAuthorizationServerProvider base class. In order to access a resource, a user would need to supply the access_token in the Authorization header as a Bearer token. Client ID is not required to be passed in again. Example below:
GET /api/v1.0/Partners HTTP/1.1 Host: api.mysoftwareapp.com Authorization: Bearer this_is_where_the_token_goes
I'd like to implement the developer portal feature of Azure API management and allow for my customers to be able to input their own username, password, and client ID when making test calls, so they get data back in the context of their tenant (and ultimately - enable rate limiting by client ID).
In the publisher portal, under Security->OAuth 2.0, I've:
- Only checked the Resource owner password grant type.
- Specified my authorization request method as POST.
- Added my token endpoint URL.
- Added grant_type / password as an additional body parameter.
- Left the resource owner password credentials blank.
I've also done the following since they were required, but I believe does not apply due to only supporting resource owner password flow, and handling client registrations through my own application:
- Added my authorization endpoint URL.
- Selected 'In the Body' as my client authentication method.
- Added fake client credentials.
- Added a fake client registration page URL.
Here's a screenshot of that:
When I navigate to the developer portal and view an endpoint, I can select 'Resource onwer password' under my Auth server. However, when I select this, a popup shows that only lets me input my username and password, NOT my client ID.
How do I set up Azure API Management to allow a user to also specify the client ID they would like to use when setting up authorization - or would we need to change our API to require the client ID when making calls to specific resources instead of when requesting a token?
This is what I'd need:
