Azure APIM : External Backend API Oauth2 authentication with Bearer token integration

Question

We have the current situation:

• In Azure API manager we build some APIs based on a Swagger definition.
• The provider of the APIs provided us with a client id and secret.
• Some of these API calls need to be authenticated with a bearer token which is generated on the provider's API infrastructure with a /token endpoint mentioned above and we want to integrate the authentication flow for these API calls in APIM (since the frontend will be authenticated in another way (CORS probably))
• We tried various approaches using all kinds of variations in "OAuth2.0" service configurations in the APIM setting and apply them to the API definitions by We kept getting Unauthorized 401.

As starting point we used https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad, but most of the the explanations we found concerned using AD, which we don't need as far as we understand.

We tried to implement the following OAuth 2.0 Postman Authorization configuration into APIM (which actually works in Postman).

Is there a simple and straight forward way to tell APIM to do a call to the token URL with a given ClientId and secret and add the authorization header with a bearer token to the backend API?

Answer 1

Yes - you can do this and here is a Curity resource that follows a similar process:

• Make an OAuth request to get a JWT based on an incoming credential
• Forward it to the downstream API
• Cache the result for subsequent requests with the same incoming credential

Your case is a little different but uses the same building blocks. You just need to adapt the OAuth message to use the Client Credentials flow.