Authentication and Authorization using Entra ID

1. Authentication and Authorization using Entra ID

Let's revisit the concepts of authentication and authorization and see how those can be enabled in Entra ID, which is the default identity provider in Azure.

2. Fundamental OAuth concepts

Before we look at how Entra ID can act as an OAuth service to an API Manager, we will need to understand the fundamental concepts and terminology. Those would be the same regardless of whether we use Entra ID or something else. This protocol rely on an Identity Provider, or IdP.

3. Why use identity provider

You can think of IdP as a car valet. Imagine your car contains a glovebox full of valuables. You want to let the valet park your car, but you’d never hand over your full set of keys (which would let them open the glovebox). Instead, you give them a valet key that only lets them park. This way, IdP manages security for applications, but it can't access any secure data inside the applications. Entra ID acts as IdP. The API Manager instance acts as a client.

4. Registering Entra ID app

Entra ID can be found in the Azure Portal. You will need to have high privilege contributor access to be able to manage it. To apply OAuth security to an application, a new entity needs to be added to app registration with a custom name and a valid redirect URL. If we are to connect Entra ID to APIM, the redirect URL would be an address of the APIM instance. This is so, upon a successful login, Entra ID knows where to redirect the request to.

5. Capturing client information

Once an app is registered, we would need to capture the application (client) ID and tenant ID, and then generate a client secret. Think of the Application (Client) ID and the Tenant ID as your application's public address. When your code needs to authenticate, it uses these to tell Entra ID 'who' it is. The Client Secret is your application's password. Your code will present this secret to prove its identity. This is why you must always store it securely and never expose it in client-side code.

6. Obtaining Endpoint URLs

Before we can connect the client to the IdP, we will need to obtain the IdP endpoint URLs. In Entra ID, this is done by clicking the Endpoints tab on the Overview page of the app registration. The endpoints we need to capture are OAuth 2.0 authorization and token endpoints for OAuth. These endpoints are the specific doors your application will knock on. Your code will redirect users to the authorization endpoint to sign in. Then, your application's backend will use the token endpoint to exchange an authorization code for an actual access token.

7. Connecting APIM to Entra ID

The next step is to configure API Management as a confidential client. Back in the APIM instance, we would open the "OAuth 2.0 + OpenID Connect" settings under the APIs section and define a new authorization server. Here, we’ll plug in the appropriate endpoints, paste in the client ID and secret, and specify the scopes your API exposes.

8. Let's practice!

Let's practice what we learned!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.