You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-howto-oauth2.md
+13-10Lines changed: 13 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
-
title: Authorize test console of API Management developer portal using OAuth 2.0
2
+
title: Authorize test console of API Management developer portal - OAuth 2.0
3
3
titleSuffix: Azure API Management
4
-
description: Set up OAuth 2.0 user authorization for the test console in the Azure API Management developer portal. This example uses Microsoft Entra ID as an OAuth 2.0 provider.
4
+
description: Set up OAuth 2.0 user authorization for the test console in Azure API Management developer portal. This example uses Microsoft Entra ID as OAuth 2.0 provider.
5
5
services: api-management
6
6
author: dlepow
7
7
8
8
ms.service: azure-api-management
9
-
ms.topic: article
10
-
ms.date: 04/01/2024
9
+
ms.topic: how-to
10
+
ms.date: 01/06/2025
11
11
ms.author: danlep
12
12
ms.custom: engagement-fy23
13
13
---
@@ -22,6 +22,9 @@ Configuring OAuth 2.0 user authorization in the test console of the developer po
22
22
23
23
## Prerequisites
24
24
25
+
- An API Management instance.
26
+
- An OAuth 2.0 provider.
27
+
25
28
This article shows you how to configure your API Management service instance to use OAuth 2.0 authorization in the developer portal's test console, but it doesn't show you how to configure an OAuth 2.0 provider.
26
29
27
30
If you haven't yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance].
@@ -55,7 +58,7 @@ This configuration supports the following OAuth flow:
55
58
56
59
1. A developer (user of the developer portal) makes an API call with the authorization header.
57
60
58
-
1. The token gets validated by using the `validate-jwt` policy in API Management by Microsoft Entra ID.
61
+
1. The token gets validated with the OAuth 2.0 provider by using the `validate-jwt` policy. For the Microsoft Entra ID provider, API Management also provides the `validate-azure-ad-token` policy.
59
62
60
63
1. Based on the validation result, the developer will receive the response in the developer portal.
61
64
@@ -81,7 +84,7 @@ Consider how the grant type generates a token, the token's [scope](https://oauth
81
84
82
85
When configuring OAuth 2.0 user authorization in the test console of the developer portal:
83
86
84
-
***Limit the token's scope to the minimum** needed for developers to test the APIs. Limit the scope to the test console, or to the affected APIs. The steps to configure token scope depend on your OAuth 2.0 provider.
87
+
***Limit the token's scope to the minimum** needed for developers to test the APIs. Limit the scope to the test console, or to the affected APIs. The steps to configure token scope depend on your OAuth 2.0 provider. An example is shown later in this article using Microsoft Entra ID.
85
88
86
89
Depending on your scenarios, you may configure more or less restrictive token scopes for other client applications that you create to access backend APIs.
87
90
***Take extra care if you enable the Client Credentials flow**. The test console in the developer portal, when working with the Client Credentials flow, doesn't ask for credentials. An access token could be inadvertently exposed to developers or anonymous users of the developer console.
@@ -172,11 +175,11 @@ Now that you've registered two applications to represent the API and the test co
172
175
173
176
1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.
174
177
175
-
1. Choose your clientapp. Then in the side menu, select **API permissions**.
178
+
1. Choose your client-app. Then in the side menu, select **API permissions**.
176
179
177
-
1. Select **+ Add a Permission**.
180
+
1. Select **+ Add a permission**.
178
181
179
-
1. Under **Select an API**, select **My APIs**, and then find and select your backend-app.
182
+
1. Under **Select an API**, select **My APIs**, and then find and select your backend-app (the app registration for your backend API).
180
183
181
184
1. Select **Delegated Permissions**, then select the appropriate permissions to your backend-app.
182
185
@@ -287,7 +290,7 @@ After saving the OAuth 2.0 server configuration, configure an API or APIs to use
287
290
288
291
In the configuration so far, API Management doesn't validate the access token. It only passes the token in the authorization header to the backend API.
289
292
290
-
To pre-authorize requests, configure a [validate-jwt](validate-jwt-policy.md) policy to validate the access token of each incoming request. If a request doesn't have a valid token, API Management blocks it.
293
+
To pre-authorize requests, configure a [validate-jwt](validate-jwt-policy.md) policy to validate the access token of each incoming request. If a request doesn't have a valid token, API Management blocks it. When you use the Microsoft Entra ID provider, you can also use the [validate-azure-ad-token](validate-azure-ad-token-policy.md) policy.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments