Removing postman testing instructions

garrodonnell · garrodonnell · commit bea6ba19330a · 2024-03-29T09:51:29.000Z
diff --git a/articles/active-directory-b2c/secure-api-management.md b/articles/active-directory-b2c/secure-api-management.md
@@ -29,7 +29,6 @@ Before you begin, make sure that you have the following resources in place:
 * An [application that's registered in your tenant](tutorial-register-applications.md)
 * [User flows that are created in your tenant](tutorial-create-user-flows.md)
 * A [published API](../api-management/import-and-publish.md) in Azure API Management
-* (Optional) A [Postman platform](https://www.postman.com/) to test secured access
 
 ## Get Azure AD B2C application ID
 
@@ -114,108 +113,6 @@ You're now ready to add the inbound policy in Azure API Management that validate
         <on-error> <base /> </on-error>
     </policies>
     ```
-
-## Validate secure API access
-
-To ensure that only authenticated callers can access your API, you can validate your Azure API Management configuration by calling the API with [Postman](https://www.postman.com/).
-
-To call the API, you need both an access token that's issued by Azure AD B2C and an Azure API Management subscription key.
-
-### Get an access token
-
-You first need a token that's issued by Azure AD B2C to use in the `Authorization` header in Postman. You can get one by using the *Run now* feature of the sign-up/sign-in user flow you that you created as one of the prerequisites.
-
-1. In the [Azure portal](https://portal.azure.com), go to your Azure AD B2C tenant.
-1. Under **Policies**, select **User flows**.
-1. Select an existing sign-up/sign-in user flow (for example, *B2C_1_signupsignin1*).
-1. For **Application**, select *webapp1*.
-1. For **Reply URL**, select `https://jwt.ms`.
-1. Select **Run user flow**.
-
-    ![Screenshot of the "Run user flow" pane for the sign-up/sign-in user flow in the Azure portal.](media/secure-apim-with-b2c-token/portal-03-user-flow.png)
-
-1. Complete the sign-in process. You should be redirected to `https://jwt.ms`.
-1. Record the encoded token value that's displayed in your browser. You use this token value for the Authorization header in Postman.
-
-    ![Screenshot of the encoded token value displayed on jwt.ms.](media/secure-apim-with-b2c-token/jwt-ms-01-token.png)
-
-### Get an API subscription key
-
-A client application (in this case, Postman) that calls a published API must include a valid API Management subscription key in its HTTP requests to the API. To get a subscription key to include in your Postman HTTP request:
-
-1. In the [Azure portal](https://portal.azure.com), go to your Azure API Management service instance.
-1. Select **Subscriptions**.
-1. Select the ellipsis (**...**) next to **Product: Unlimited**, and then select **Show/hide keys**.
-1. Record the **Primary Key** for the product. You use this key for the `Ocp-Apim-Subscription-Key` header in your HTTP request in Postman.
-
-![Screenshot of the "Subscription key" page in the Azure portal, with "Show/hide keys" selected.](media/secure-apim-with-b2c-token/portal-04-api-subscription-key.png)
-
-### Test a secure API call
-
-With the access token and Azure API Management subscription key recorded, you're now ready to test whether you've correctly configured secure access to the API.
-
-1. Create a new `GET` request in [Postman](https://www.postman.com/). For the request URL, specify the speakers list endpoint of the API you published as one of the prerequisites. For example:
-
-    `https://contosoapim.azure-api.net/conference/speakers`
-
-1. Next, add the following headers:
-
-    | Key | Value |
-    | --- | ----- |
-    | `Authorization` | The encoded token value you recorded earlier, prefixed with `Bearer ` (include the space after "Bearer") |
-    | `Ocp-Apim-Subscription-Key` | The Azure API Management subscription key you recorded earlier. |
-    | | |
-
-    Your **GET** request URL and **Headers** should appear similar to those shown in the following image:
-
-    ![Screenshot of the Postman UI showing the GET request URL and headers.](media/secure-apim-with-b2c-token/postman-01-headers.png)
-
-1. In Postman, select the **Send** button to execute the request. If you've configured everything correctly, you should be given a JSON response with a collection of conference speakers (shown here, truncated):
-
-    ```json
-    {
-      "collection": {
-        "version": "1.0",
-        "href": "https://conferenceapi.azurewebsites.net:443/speakers",
-        "links": [],
-        "items": [
-          {
-            "href": "https://conferenceapi.azurewebsites.net/speaker/1",
-            "data": [
-              {
-                "name": "Name",
-                "value": "Scott Guthrie"
-              }
-            ],
-            "links": [
-              {
-                "rel": "http://tavis.net/rels/sessions",
-                "href": "https://conferenceapi.azurewebsites.net/speaker/1/sessions"
-              }
-            ]
-          },
-    [...]
-    ```
-
-### Test an insecure API call
-
-Now that you've made a successful request, test the failure case to ensure that calls to your API with an *invalid* token are rejected as expected. One way to perform the test is to add or change a few characters in the token value, and then run the same `GET` request as before.
-
-1. Add several characters to the token value to simulate an invalid token. For example, you could add "INVALID" to the token value, as shown here:
-
-    ![Screenshot of the Headers section of Postman UI showing the string INVALID added to token.](media/secure-apim-with-b2c-token/postman-02-invalid-token.png)
-
-1. Select the **Send** button to execute the request. With an invalid token, the expected result is a `401` unauthorized status code:
-
-    ```json
-    {
-        "statusCode": 401,
-        "message": "Unauthorized. Access token is missing or invalid."
-    }
-    ```
-
-If you see a `401` status code, you've verified that only callers with a valid access token issued by Azure AD B2C can make successful requests to your Azure API Management API.
-
 ## Support multiple applications and issuers
 
 Several applications typically interact with a single REST API. To enable your API to accept tokens intended for multiple applications, add their application IDs to the `<audiences>` element in the Azure API Management inbound policy.
