Authenticate Azure API Management with OAuth2 using Azure AD

Question

I am trying to secure APIM APIs using OAuth2 via AzureAD by reading the article: Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD

AzureAPIM - OAuth2

Authorization endpoint URL (v1): https://login.microsoftonline.com/{tenant}/oauth2/authorize
Token endpoint URL (v1): https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID: client-app id
Redirect URI: (deprecated portal): https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback

AzureAD - backend-app:

scope: Files.All

AzureAD - client-app:

secret key: xxx
Redirect url: ONLY WORK with deprecated portal in APIM (https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback)

For Demo Conference API, Add Validate JWT policy to Inbound processing where 3a0cf09b- is tenant id and b7c31179- is backend-app application id:

In Developer portal, the authentication to AzureAD is successful with a return token:

However the authorization is failed with calling the API:

Inspecting the received token in jwt.io, I found that the "aud": "00000003-0000-0000-c000-000000000000" is not backend-app application id:

{
  "aud": "00000003-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/3a0cf09b-xxx/",
  "app_displayname": "client-app",
  "appid": "05a245fb-xxx",
  "scp": "Files.Read User.Read profile openid email",
  "tenant_region_scope": "OC",
  "tid": "3a0cf09b-2952-4673-9ace-0e1bf69ee23a",
  "unique_name": "[email protected]",
}

API Test HTTP response trace shows the error on validate-jwt:

validate-jwt (-0.138 ms)
{
    "message": "JWT Validation Failed: Claim value mismatch: aud=b7c31179-xxx.."
}

Replacing aud by the value in the token 00000003-0000-0000-c000-000000000000 or removing the required-claims in the validate-jwt policy to get it working.

Any idea please?

Hury Shen Hury Shen · Accepted Answer · 2020-12-28T02:52:14

It seems you choose v1 endpoint of OAuth2 authorization but not v2 endpoint, so the value of aud in access token should be like b7c31179-xxxx.... but not api://b7c31179-xxxx..... So there are no mistakes in your steps of get access token.

According to some test in my side, the cause of this problem is you did not specify a parameter resource with the value of the backend-app application id when you configure OAuth2.0 in your APIM. The document you refer to also mentions this (I test with not specify this parameter, it shows same problem with yours)

So to solve this problem, please go to your APIM and click "OAuth 2.0" tab, edit the item you created. Add a parameter resource with value of the backend-app application id.

Note: When you add the parameter resource and click "Save" button, please open the item again and check if the "Client secret" box is empty. When I test in my side, the "Client secret" box shows empty after add parameter resource, it may be a bug on that page. If "Client secret" is empty, it might show error message like The request body must contain the following parameter: 'client_assertion' or 'client_secret' when you get the access token in Developer portal.

Authenticate Azure API Management with OAuth2 using Azure AD

2 Answers