How to protect API without end user to login with AD Account in Azure?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I would like to know how (or if this is possible) to make use of Azure API Management Service with OAuth without user to be registered with Azure AD Account and consume the backend API
I followed the sample https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad and everything works fine.
This sample uses Azure Developer Console as Client App. However, if I want to use my own Client app for authentication, does it mean that my client app needs to be hosted under a server with OAuth ability?
Is that possible for my client app to use "Service Account" to login to Azure Active Directory as a user so that the client app can consume protected APIs?
oauth-2.0
azure-active-directory azure-api-management asked Jan 4 at 3:09
Benny ChanBenny Chan
408
add a comment |
I would like to know how (or if this is possible) to make use of Azure API Management Service with OAuth without user to be registered with Azure AD Account and consume the backend API
I followed the sample https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad and everything works fine.
This sample uses Azure Developer Console as Client App. However, if I want to use my own Client app for authentication, does it mean that my client app needs to be hosted under a server with OAuth ability?
Is that possible for my client app to use "Service Account" to login to Azure Active Directory as a user so that the client app can consume protected APIs?
oauth-2.0
azure-active-directory azure-api-management asked Jan 4 at 3:09
Benny ChanBenny Chan
408
What do you mean about the "service account"?
– SunnySun
Jan 4 at 6:04
I mean something like what I can do in IIS, setting up an AD user account being used in the application pool so that AAD and Azure API management deal with that service account to authorize the client to consume backend api? Is that possible and if yes, is that a good approach to do this?
– Benny Chan
Jan 6 at 23:59
I just edited my question title to be more specific
– Benny Chan
Jan 7 at 0:03
add a comment |
I would like to know how (or if this is possible) to make use of Azure API Management Service with OAuth without user to be registered with Azure AD Account and consume the backend API
I followed the sample https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad and everything works fine.
This sample uses Azure Developer Console as Client App. However, if I want to use my own Client app for authentication, does it mean that my client app needs to be hosted under a server with OAuth ability?
Is that possible for my client app to use "Service Account" to login to Azure Active Directory as a user so that the client app can consume protected APIs?
oauth-2.0
azure-active-directory azure-api-management asked Jan 4 at 3:09
Benny ChanBenny Chan
408
I would like to know how (or if this is possible) to make use of Azure API Management Service with OAuth without user to be registered with Azure AD Account and consume the backend API
I followed the sample https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad and everything works fine.
This sample uses Azure Developer Console as Client App. However, if I want to use my own Client app for authentication, does it mean that my client app needs to be hosted under a server with OAuth ability?
Is that possible for my client app to use "Service Account" to login to Azure Active Directory as a user so that the client app can consume protected APIs?
oauth-2.0
azure-active-directory azure-api-management oauth-2.0
azure-active-directory azure-api-management asked Jan 4 at 3:09
Benny ChanBenny Chan
408
asked Jan 4 at 3:09
Benny ChanBenny Chan
408
edited Jan 7 at 0:03
Benny Chan
asked Jan 4 at 3:09
Benny ChanBenny Chan
408
asked Jan 4 at 3:09
Benny ChanBenny Chan
408
asked Jan 4 at 3:09
Benny ChanBenny Chan
408
408
What do you mean about the "service account"?
– SunnySun
Jan 4 at 6:04
I mean something like what I can do in IIS, setting up an AD user account being used in the application pool so that AAD and Azure API management deal with that service account to authorize the client to consume backend api? Is that possible and if yes, is that a good approach to do this?
– Benny Chan
Jan 6 at 23:59
I just edited my question title to be more specific
– Benny Chan
Jan 7 at 0:03
add a comment |
What do you mean about the "service account"?
– SunnySun
Jan 4 at 6:04
I mean something like what I can do in IIS, setting up an AD user account being used in the application pool so that AAD and Azure API management deal with that service account to authorize the client to consume backend api? Is that possible and if yes, is that a good approach to do this?
– Benny Chan
Jan 6 at 23:59
I just edited my question title to be more specific
– Benny Chan
Jan 7 at 0:03
What do you mean about the "service account"?
– SunnySun
Jan 4 at 6:04
What do you mean about the "service account"?
– SunnySun
Jan 4 at 6:04
I mean something like what I can do in IIS, setting up an AD user account being used in the application pool so that AAD and Azure API management deal with that service account to authorize the client to consume backend api? Is that possible and if yes, is that a good approach to do this?
– Benny Chan
Jan 6 at 23:59
I mean something like what I can do in IIS, setting up an AD user account being used in the application pool so that AAD and Azure API management deal with that service account to authorize the client to consume backend api? Is that possible and if yes, is that a good approach to do this?
– Benny Chan
Jan 6 at 23:59
I just edited my question title to be more specific
– Benny Chan
Jan 7 at 0:03
I just edited my question title to be more specific
– Benny Chan
Jan 7 at 0:03
add a comment |
1 Answer
1
active
oldest
votes
APIM itself does not care whether any given OAuth server is AAD or not. There are three things in APIM that are related to OAuth.
First is Dev portal signin. One can setup Dev portal to authenticate users via AAD, Facebook, Google e.t.c. With this setting APIM will contact required auth server to validate user identity. This is only needed if you want your users to authenticate with dev portal using some auth server.
Then there are OpenID and OAuth servers registration, and linking of them to APIs. This is purely for documentation purposes. You do this to show that your backend (not APIM) requires an Oauth token from a certain OAuth server. Dev portal in it's part will render a UI in dev console to obtain such token and call APIM proxy with it. This can be used with any OpenId/OAuth server, not necessary AAD. And you do not need to host any app, the registration is done purely to obtain client id and client secret, so that when Dev portal makes call to auth server to obtain token for user it is allowed to do so. This is only needed to render UI on dev console that will allow users to easily obtain tokens to make a call to your service. Does not affect runtime request processing in any way.
Finally there is validate-jwt policy this is the only OAuth related runtime bit in APIM. This policy can be configured to extract JWT token from a request and check it for certain claims to make a decision whether a calling party is authorized to make a call or not. This does not require any other setup to work, just placing policy in pipeline is enough. But you may want to setup auth server as well, as without it dev console will not work by default.
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54032664%2fhow-to-protect-api-without-end-user-to-login-with-ad-account-in-azure%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
APIM itself does not care whether any given OAuth server is AAD or not. There are three things in APIM that are related to OAuth.
First is Dev portal signin. One can setup Dev portal to authenticate users via AAD, Facebook, Google e.t.c. With this setting APIM will contact required auth server to validate user identity. This is only needed if you want your users to authenticate with dev portal using some auth server.
Then there are OpenID and OAuth servers registration, and linking of them to APIs. This is purely for documentation purposes. You do this to show that your backend (not APIM) requires an Oauth token from a certain OAuth server. Dev portal in it's part will render a UI in dev console to obtain such token and call APIM proxy with it. This can be used with any OpenId/OAuth server, not necessary AAD. And you do not need to host any app, the registration is done purely to obtain client id and client secret, so that when Dev portal makes call to auth server to obtain token for user it is allowed to do so. This is only needed to render UI on dev console that will allow users to easily obtain tokens to make a call to your service. Does not affect runtime request processing in any way.
Finally there is validate-jwt policy this is the only OAuth related runtime bit in APIM. This policy can be configured to extract JWT token from a request and check it for certain claims to make a decision whether a calling party is authorized to make a call or not. This does not require any other setup to work, just placing policy in pipeline is enough. But you may want to setup auth server as well, as without it dev console will not work by default.
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
add a comment |
APIM itself does not care whether any given OAuth server is AAD or not. There are three things in APIM that are related to OAuth.
First is Dev portal signin. One can setup Dev portal to authenticate users via AAD, Facebook, Google e.t.c. With this setting APIM will contact required auth server to validate user identity. This is only needed if you want your users to authenticate with dev portal using some auth server.
Then there are OpenID and OAuth servers registration, and linking of them to APIs. This is purely for documentation purposes. You do this to show that your backend (not APIM) requires an Oauth token from a certain OAuth server. Dev portal in it's part will render a UI in dev console to obtain such token and call APIM proxy with it. This can be used with any OpenId/OAuth server, not necessary AAD. And you do not need to host any app, the registration is done purely to obtain client id and client secret, so that when Dev portal makes call to auth server to obtain token for user it is allowed to do so. This is only needed to render UI on dev console that will allow users to easily obtain tokens to make a call to your service. Does not affect runtime request processing in any way.
Finally there is validate-jwt policy this is the only OAuth related runtime bit in APIM. This policy can be configured to extract JWT token from a request and check it for certain claims to make a decision whether a calling party is authorized to make a call or not. This does not require any other setup to work, just placing policy in pipeline is enough. But you may want to setup auth server as well, as without it dev console will not work by default.
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
add a comment |
APIM itself does not care whether any given OAuth server is AAD or not. There are three things in APIM that are related to OAuth.
First is Dev portal signin. One can setup Dev portal to authenticate users via AAD, Facebook, Google e.t.c. With this setting APIM will contact required auth server to validate user identity. This is only needed if you want your users to authenticate with dev portal using some auth server.
Then there are OpenID and OAuth servers registration, and linking of them to APIs. This is purely for documentation purposes. You do this to show that your backend (not APIM) requires an Oauth token from a certain OAuth server. Dev portal in it's part will render a UI in dev console to obtain such token and call APIM proxy with it. This can be used with any OpenId/OAuth server, not necessary AAD. And you do not need to host any app, the registration is done purely to obtain client id and client secret, so that when Dev portal makes call to auth server to obtain token for user it is allowed to do so. This is only needed to render UI on dev console that will allow users to easily obtain tokens to make a call to your service. Does not affect runtime request processing in any way.
Finally there is validate-jwt policy this is the only OAuth related runtime bit in APIM. This policy can be configured to extract JWT token from a request and check it for certain claims to make a decision whether a calling party is authorized to make a call or not. This does not require any other setup to work, just placing policy in pipeline is enough. But you may want to setup auth server as well, as without it dev console will not work by default.
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
APIM itself does not care whether any given OAuth server is AAD or not. There are three things in APIM that are related to OAuth.
First is Dev portal signin. One can setup Dev portal to authenticate users via AAD, Facebook, Google e.t.c. With this setting APIM will contact required auth server to validate user identity. This is only needed if you want your users to authenticate with dev portal using some auth server.
Then there are OpenID and OAuth servers registration, and linking of them to APIs. This is purely for documentation purposes. You do this to show that your backend (not APIM) requires an Oauth token from a certain OAuth server. Dev portal in it's part will render a UI in dev console to obtain such token and call APIM proxy with it. This can be used with any OpenId/OAuth server, not necessary AAD. And you do not need to host any app, the registration is done purely to obtain client id and client secret, so that when Dev portal makes call to auth server to obtain token for user it is allowed to do so. This is only needed to render UI on dev console that will allow users to easily obtain tokens to make a call to your service. Does not affect runtime request processing in any way.
Finally there is validate-jwt policy this is the only OAuth related runtime bit in APIM. This policy can be configured to extract JWT token from a request and check it for certain claims to make a decision whether a calling party is authorized to make a call or not. This does not require any other setup to work, just placing policy in pipeline is enough. But you may want to setup auth server as well, as without it dev console will not work by default.
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
answered Jan 8 at 0:01
Vitaliy KurokhtinVitaliy Kurokhtin
2,8771109
2,8771109
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54032664%2fhow-to-protect-api-without-end-user-to-login-with-ad-account-in-azure%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What do you mean about the "service account"?
– SunnySun
Jan 4 at 6:04
I mean something like what I can do in IIS, setting up an AD user account being used in the application pool so that AAD and Azure API management deal with that service account to authorize the client to consume backend api? Is that possible and if yes, is that a good approach to do this?
– Benny Chan
Jan 6 at 23:59
I just edited my question title to be more specific
– Benny Chan
Jan 7 at 0:03