Which Client ID & Secret for Azure API Management Authorization Code Flow?
Background
I have an instance of Azure API Managment that is configured to use Azure AD as the OAuth 2.0 identity provider. In Azure AD, there are two App Registrations:
- (A) Azure APIM App Registration
- (B) Customer Application App Registration
- Registered as Authorized client application of (A)
- Customer application will authenticate against Azure AD before passing bearer token to Azure APIM.
In Postman, authenticating with Azure AD using Client Credentials grant type works fine using the Customer Application (B) client ID & secret to authenticate and call APIM endpoints. This simulates the customer's service authenticating with Azure AD.
Question
Which client ID and client Secret should the customer's developers use in Postman if they want to test APIM using Authorization Code as the Grant Type?
Should they use the APIM client ID and client secret (A), the customer application's client ID & client secret (B), or something else?
You can provide the developers with a separate client secret that is only meant for testing purposes, while the actual client application continues to use its own client secret for production usage. But make sure to maintain strict control over the client secrets and ensure that they are only shared with authorized parties and kept securely.
You can use customer application's client ID & client secret (B) to test APIM using Authorization Code as the Grant Type in Postman.
I tried to reproduce the same in my environment and got below results:
I created two app registrations i.e, APIM App and ClientApp in my Azure AD tenant.
Now, I exposed an API with scope access_as_user and added ClientApp as Authorized client application in APIM App like below:
You can find above scope in ClientApp's API permissions like this:
Now add those permissions in your application by following below steps:
Make sure to grant admin consent to added permissions like this:
Before generating access token via Postman, I added below environment variables:
clientAppId: <appID of ClientApp>
clientAppSecret: <secret from ClientApp>
authUrl: https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
authTokenUrl: https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
To generate access token using Authorization Code as the Grant Type, I filled required fields like this:
When you select Get New Access Token button, it will ask you to sign in like below:
After successful authentication, I got access token like below:
To confirm that, you can decode the access token by pasting it in jwt.ms and check below claims:
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users