|
| 1 | +--- |
| 2 | +title: Authorize test console of API Management developer portal - OAuth 2.0 |
| 3 | +titleSuffix: Azure API Management |
| 4 | +description: Set up OAuth 2.0 user authorization for the test console in Azure API Management developer portal. This example uses Microsoft Entra ID as OAuth 2.0 provider. |
| 5 | +services: api-management |
| 6 | +author: dlepow |
| 7 | + |
| 8 | +ms.service: azure-api-management |
| 9 | +ms.topic: how-to |
| 10 | +ms.date: 01/06/2025 |
| 11 | +ms.author: danlep |
| 12 | +ms.custom: engagement-fy23 |
| 13 | +--- |
| 14 | + |
| 15 | +# Create and authorize access to products using OAuth 2.0 application |
| 16 | + |
| 17 | +[!INCLUDE [api-management-availability-premium-dev-standard-basic](../../includes/api-management-availability-premium-dev-standard-basic.md)] |
| 18 | + |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +Applications feature is now available for private preview testing. |
| 23 | + |
| 24 | + |
| 25 | +> [!NOTE] |
| 26 | +> This feature is in private preview. Ensure that you have ... |
| 27 | +
|
| 28 | +This feature enables: |
| 29 | + |
| 30 | +* API Management gateway can now authorize product/API access using OAuth token |
| 31 | +* API managers can identify products which have OAuth authorization enabled |
| 32 | +* API managers can create client applications and assign access to products |
| 33 | +* Developers can view all client applications and use OAuth token to get secure access to product/API |
| 34 | + |
| 35 | +## Prerequisites |
| 36 | + |
| 37 | +- An API Management instance deployed in one of the Azure Early Updates Access Program (EUAP) regions, such as Central US EUAP. If you haven't yet created an API Management service instance, see [Create an API Management service instance](get-started-create-service-instance). The API Management instance must be in **Premium**, **Standard**, **Basic**, or **Developer** tier. |
| 38 | + |
| 39 | + > [!NOTE] |
| 40 | + > If you don't have access to an EUAP region, you can [request it](/troubleshoot/azure/general/region-access-request-process) through the Azure portal. |
| 41 | +
|
| 42 | +- At least one product in your API Management instance, with at least one API assigned to it. If you haven't yet created a product, see [Create and publish a product](api-management-howto-add-products.md). For testing, you may use the default **Starter** product and the **Echo** API that's added to it. |
| 43 | + |
| 44 | +- Permissions to create an app registration in your Microsoft Entra tenant. |
| 45 | + |
| 46 | +- Permissions to assign the **Application Administrator** role, which requires at least the **Privileged Role Administrator** role in Microsoft Entra. |
| 47 | + |
| 48 | + |
| 49 | +[Any special considerations to access the preview - regions, special URLs, etc.] |
| 50 | + |
| 51 | +## Scenario overview |
| 52 | + |
| 53 | +The following are the high level configuration steps: |
| 54 | + |
| 55 | +1. Register an application ...in Microsoft Entra ID. |
| 56 | + |
| 57 | +1. The developer portal requests a token from Microsoft Entra ID using the client-app credentials. |
| 58 | + |
| 59 | +1. After successful validation, Microsoft Entra ID issues the access/refresh token. |
| 60 | + |
| 61 | + |
| 62 | + |
| 63 | + |
| 64 | +## Configure managed identity |
| 65 | + |
| 66 | + 1. Enable a system-assigned [managed identity for API Management](api-management-howto-use-managed-service-identity.md) in your API Management instance. |
| 67 | + |
| 68 | + * Take note of the identity's **Object (principal) ID**. |
| 69 | + |
| 70 | +1. Assign the identity the **Application Administrator** RBAC role in Microsoft Entra ID. To assign the role: |
| 71 | + |
| 72 | + 1. Sign in to the portal and navigate to **Microsoft Entra** |
| 73 | + 1. In the left menu, select **Manage** > **Roles and administrators**. |
| 74 | + 1. Select **Application administrator**. |
| 75 | + 1. In the left menu, select **Manage** > **Assignments** > **+ Add assignments**. |
| 76 | + 1. In the **Add assignments** pane, search for the API Management instance's managed identity by name or object (prinicipal) ID, select it, and then select **Add**. |
| 77 | + |
| 78 | + |
| 79 | +## Enable OAuth 2.0 authorization for product |
| 80 | + |
| 81 | +To enable OAuth 2.0 authorization for a product, you must first enable **Application based access** in the product settings. This setting automatically creates a client application in Microsoft Entra ID for this product. |
| 82 | + |
| 83 | +1. Sign in to the Azure portal at the following URL () and navigate to your API Management instance. |
| 84 | +1. In the left menu, under **APIs**, select **Products**. |
| 85 | +1. Select the product you want to enable OAuth 2.0 authorization for. For this example, select the **Starter** product. |
| 86 | +1. In the left menu, under **Product**, select **Properties**. |
| 87 | +1. Enable **Application based access**. |
| 88 | +1. Select **Save**. |
| 89 | + |
| 90 | +:::image type="content" source="media/applications/enable-application-based-access.png" alt-text="Screenshot of enabling application based access in the portal."::: |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | +## Create application in Microsoft Entra ID |
| 95 | + |
| 96 | +## Add/remove products in application |
| 97 | + |
| 98 | +## Create token and use with API call |
| 99 | + |
| 100 | +## List applications and get secrets in the developer portal |
| 101 | + |
| 102 | + |
| 103 | +## Related content |
| 104 | + |
0 commit comments