2
votes

I am finding it hard to understand how I can differentiate multiple client applications using oAuth 2.0.

Using APIM I mapped my backend webservice to Azure API Gateway Service URL. I have configured Oauth 2.0 with grant type as client credentials because its a service to service integration.

In Oauth registration, I have mapped my client and backend app Id's with secret keys - (OauthSample1.0). It doesnot have the provision to configure multiple clients for the same backend service.

And, in my API, i can add only one Oauth reference - (OauthSample1.0). Even if i would go ahead and create multiple Oauth 2.0 references for different clients, technically it cannot work with the API configuration.

This means I can have my API validate only one specified client using one oAuth 2.0 reference.

If I want my API to be accessed by different partners / Client applications, my understanding is that I would need to create different Clients in Azure AD. But unfortunately not able to design the solution here.

1

1 Answers

0
votes

The official doc for protecting your API using OAuth 2.0 covers the steps required in detail.

To summarize, the steps are

  1. Register an application to represent the API
  2. Register separate applications to represent each of your client applications
  3. Setup a Validate JWT policy to pre-authorize requests.

Your clients would have to get the token using the client credentials flow before making the requests.

Also, if your clients are services that directly access the APIs, then you could setup app roles that show up as Application Permissions instead of Delegated Persmissions.