Azure API Management OAuth2 Configuration - Creating Authorization Service and ClientID/Secret

0
votes

I'm enabling OAuth2 for my Azure API Management instance. I click Add to add OAuth2, and it's asking me to enter name, and description of authorization service, so my thinking is I am creating an authorization service here.

Why is it asking me to provide client id, client secret, resource owner user, and resource owner password. I understand the concepts of OAuth2 and how these are used, but I am setting up API Management to handle OAuth2 authorization, so the job of the Authorization server will be to validate authorization codes and client secrets. The clients will have their own Client IDs and Client Secrets. Resource Owner should be an Azure AD identity with it's own user name and password.

Why, when I am setting up the authorization server for API Management is it asking me to enter Client ID and Client Secret as well as Resource Owner credentials. It doesn't make sense to me. Can someone explain?

So....what gives? Am I in the wrong screen because API Management

enter image description here

3
azureoauth-2.0azure-active-directoryazure-api-management

3 Answers

3
votes

APIM can't be used as OAuth server. The only reason at the moment to configure OAuth/OIDC server in APIM is to make sure it's included into exported specification of an API and that developer portal has a convenient UI to let users obtain tokens, nothing else. That's why it's expected to provide client id and secret, because APIM is effectively a client.

1
votes

Step 1 : Choose an OAuth provider such as Auth0

Step 2 : Configure various OAuth scenarios as API's in your OAuth provider (API is the term Auth0 uses, other providers might refer to them with other terms)

Step 3 : Create APIM OAuth 2 records, filling in the fields in your question (client id, client secret). Create a record for each API you have configured in your OAuth provider (in Step 2).

Step 4 : In the APIM edit the details of the various API's choosing the appropriate OAuth record you setup in Step 3. Here you are choosing the OAuth scenario for each of your APIs. Many APIs may use the same scenario, but obviously an individual APIM API entry can only link to 1 OAuth scenario

Thus you have configured various APIs in the APIM against various OAuth scenarios. Usually the details behind the OAuth setup are invisible to the API and are so setup and exposed only by their ClientID, secret and urls for token and authorise.

Auth0 has a good tutorial for seting up Azure APIM: HERE

0
votes

apim should have it's own identity. Have you created an app registration for the instance? The credentials from the app reg on aad used will identify apim and allow validation of the token.