Background
I have an instance of Azure API Managment that is configured to use Azure AD as the OAuth 2.0 identity provider. In Azure AD, there are two App Registrations:
In Postman, authenticating with Azure AD using Client Credentials grant type works fine using the Customer Application (B) client ID & secret to authenticate and call APIM endpoints. This simulates the customer's service authenticating with Azure AD.
Question
Which client ID and client Secret should the customer's developers use in Postman if they want to test APIM using Authorization Code as the Grant Type?
Should they use the APIM client ID and client secret (A), the customer application's client ID & client secret (B), or something else?
You can provide the developers with a separate client secret that is only meant for testing purposes, while the actual client application continues to use its own client secret for production usage. But make sure to maintain strict control over the client secrets and ensure that they are only shared with authorized parties and kept securely.
You can use customer application's client ID & client secret (B) to test APIM using Authorization Code as the Grant Type in Postman.
I tried to reproduce the same in my environment and got below results:
I created two app registrations i.e, APIM App and ClientApp in my Azure AD tenant.
Now, I exposed an API with scope access_as_user
and added ClientApp
as Authorized client application in APIM App like below:
You can find above scope in ClientApp's API permissions like this:
Now add those permissions in your application by following below steps:
Make sure to grant admin consent to added permissions like this:
Before generating access token via Postman, I added below environment variables:
clientAppId: <appID of ClientApp>
clientAppSecret: <secret from ClientApp>
authUrl: https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
authTokenUrl: https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
To generate access token using Authorization Code as the Grant Type, I filled required fields like this:
When you select Get New Access Token
button, it will ask you to sign in like below:
After successful authentication, I got access token like below:
To confirm that, you can decode the access token by pasting it in jwt.ms and check below claims: