You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/secure-api-management.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.subservice: B2C
15
15
16
16
# Secure an Azure API Management API with Azure AD B2C
17
17
18
-
Ensure only authenticated callers can access your API by creating an inbound policy in Azure API Management (APIM) that restricts access to requests that include a valid Azure AD B2C-issued access token.
18
+
Learn how to restrict access your Azure API Management (APIM) API to clients that have authenticated with Azure Active Directory B2C (Azure AD B2C). Follow the steps in this article to create and test an inbound policy in APIM that restricts access to only those requests that include a valid Azure AD B2C-issued access token.
19
19
20
20
## Prerequisites
21
21
@@ -25,6 +25,7 @@ You need the following resources in place before continuing with the steps in th
25
25
*[Application registered](tutorial-register-applications.md) in your tenant
26
26
*[User flows created](tutorial-create-user-flows.md) in your tenant
27
27
*[Published API](../api-management/import-and-publish.md) in Azure API Management
28
+
*[Postman](https://www.getpostman.com/) to test secured access (optional)
28
29
29
30
## Get Azure AD B2C application ID
30
31
@@ -38,7 +39,7 @@ When you secure an API in Azure API Management with Azure AD B2C, you need sever
38
39
39
40
## Get token issuer endpoint
40
41
41
-
Next, get the well-known config URL for one of your Azure AD B2C user flows. You also need the token issuer endpoint URI for the issuer you want to support in Azure API Management.
42
+
Next, get the well-known config URL for one of your Azure AD B2C user flows. You also need the token issuer endpoint URI you want to support in Azure API Management.
42
43
43
44
1. Browse to your Azure AD B2C tenant in the [Azure portal](https://portal.azure.com)
44
45
1. Under **Policies**, select **User flows (policies)**
@@ -100,7 +101,7 @@ You're now ready to add the inbound policy in Azure API Management that validate
100
101
101
102
To ensure only authenticated callers can access your API, you can validate your Azure API Management configuration by calling the API with [Postman](https://www.getpostman.com/).
102
103
103
-
To call the API, you need an access token issued by Azure AD B2C and an APIM subscription key.
104
+
To call the API, you need both an access token issued by Azure AD B2C, and an APIM subscription key.
104
105
105
106
### Get an access token
106
107
@@ -116,7 +117,7 @@ You first need a token issued by Azure AD B2C to use in the `Authorization` head
116
117
117
118
118
119
1. Complete the sign-in process. You should be redirected to `https://jwt.ms`.
119
-
1. Record encoded token value displayed in your browser. You use this token value for the Authorization header in Postman.
120
+
1. Record the encoded token value displayed in your browser. You use this token value for the Authorization header in Postman.
120
121
121
122
122
123
@@ -194,7 +195,7 @@ Now that you've made a successful request, test the failure case to ensure that
194
195
}
195
196
```
196
197
197
-
Congratulations! You've verified that only callers with a valid access token issued by Azure AD B2C can make successful requests to your Azure API Management API.
198
+
If you see the `401` status code, you've verified that only callers with a valid access token issued by Azure AD B2C can make successful requests to your Azure API Management API.
198
199
199
200
## Support multiple applications and issuers
200
201
@@ -228,7 +229,7 @@ You can follow this general process to perform a staged migration:
228
229
1. Update your applications one at a time to obtain tokens from the b2clogin.com endpoint.
229
230
1. Once all of your applications are correctly obtaining tokens from b2clogin.com, remove support for login.microsoftonline.com-issued tokens from the API.
230
231
231
-
The following example APIM inbound policy illustrates how to accept tokens issued by both b2clogin.com login.microsoftonline.com. Additionally, it supports API requests from two applications.
232
+
The following example APIM inbound policy illustrates how to accept tokens issued by both b2clogin.com and login.microsoftonline.com. Additionally, it supports API requests from two applications.
0 commit comments