Securing an API using Open ID Connect from AAPIM

Part 2: Configure/Setup and Enable Open ID Connect in the Developer Console

4 min readDec 2, 2020

Introduction

Configuring OpenID Connect for your APIs hosted in Azure API Management adds an extra layer of security and prevents unauthorized access. This is a very important configuration form Security point of view for your Endpoints and is provided out of the box by Azure. This is the Second part of a series of Blogs on Securing your API using OpenID Connect in Azure API Management. Please go through all the parts to find easy and detailed steps that will help you configure the OpenID Connect Authentication.

Note: This Blog will demonstrate the steps to configure and test the Open ID connect Authentication with Developer portal (Legacy). The steps are similar for Developer Portal Open ID connect Authentication Configuration. But it is worth noting that the Developer Portal currently only supports Implicit Mode of Authentication and might give you a 401 Error.

Configure/Setup Open ID Connect in API Management

1. In Azure portal, browse to your API Management instance.

2. Select Open ID Connect > Add.

3. Provide a Display name and Description.

4. For the Metadata endpoint URL, enter in the form

https://login.microsoftonline.com/{tenant id}/.well-known/openid-configuration

5. For Client Credentials add:

a) The id of the Azure AD application we created.

b) The secret key for the application we created.

6. Go back to your Test_OIDC App in Azure Active Directory and select Authentication and under Platform configurations click on Add a platform.

7. Select the type as Web, paste the redirect_url under Redirect URI for Auth code type from your APPIM Open ID server you just setup, and then click on Configure button to save.

8. Similarly, select the type as Web, paste the redirect_url under Redirect URI for implicit grant type from your APPIM Open ID server you just setup, and then click on Configure button to save.

Now that you have configured an Open Id Connect authorization server, the Developer Console can obtain access tokens from Azure AD.

Enable Open ID Connect user authorization for your API

This enables the Developer Console to know that it needs to obtain an access token on behalf of the user, before making calls to your API.

1. Browse to your API Management instance and go to APIs.

2. Select the API you want to protect. For example, you can use any of your APIs .

3. Go to Settings.

4. Under Security, choose OAuth 2.0, and select the OAuth 2.0 server you configured earlier.

5. Select Save.

Links to All Blogs of this Series

Part 1: Register an application in Azure AD to represent the API https://bi-fixes.medium.com/securing-an-api-using-open-id-connect-from-aapim-5d4f46f178dc

Part 2: Configure/Setup and Enable Open ID Connect in the Developer Console https://bi-fixes.medium.com/securing-an-api-using-open-id-connect-from-aapim-bc40f432f90f

Part 3: Successfully call the API from the developer portal (legacy) https://bi-fixes.medium.com/securing-an-api-using-open-id-connect-from-aapim-bf58fad7335

Part 4: Configure a JWT validation policy to pre-authorize requests https://bi-fixes.medium.com/securing-an-api-using-open-id-connect-from-aapim-1cf4134be814