Issue with Django API Authentication Using Azure AD and Postman

Question

I have set up a django project using the django_auth_adfs library to use the Azure Active Directory for the authentication phase. I have set up its API using rest_framework and now, I am trying to send requests to it using Postman. My problem is that if I send a request with or without an access token, my result is nothing but the raw html code of the Microsoft login page. I used this link for generating my access token:

https://dev.to/425show/calling-an-azure-ad-secured-api-with-postman-22co

I tried different API Permissions for my Azure App such as Azure Active Directory Graph, Microsoft Graph, and one under my own project name which comes from the one I configured as a scope in the Expose an API. Also I wonder if the company should grant access to the api I configured in the Expose an API?

This is the Result I get and this is my postman environment. During the token registration, I am prompt to login using my username, password, and the authentication code sent to my phone, and then, the token is generated successfully. However, I am still getting the login page, although I am using the token in my headers. Also about the django ad configuration, it works fine. People can login and logout using their Microsoft accounts, so the problem should not be there.

Answer 1

Steps to authenticating Django API using Azure Active Directory (AD) and accessing it via Postman.

Create an application in App registrations of Microsoft Entra ID.Choose Supported account types as Microsoft Entra ID tenant - Multitenant and personal Microsoft accounts for api.

Add a scope in Expose an API by selecting consent as Admins and users as shown in the below image.

Use Instance ,ClientId and TenantId in Django API .

 "Instance": "https://login.microsoftonline.com/",
 "ClientId": "18", //Application (Client) ID from 'Catalogue.Api' app registration overview blade
 "TenantId": "932" // Tenant ID from '.Catalogue.Api' app registration overview blade

• Create a another application in Microsoft Entra ID for postman with below callback url

https://www.postman.com/oauth2/callback

Select Access tokens ,ID tokens in Authentication and save it.

In postman application add API permissions for Api app which you have created.

Select Delegated permissions and Permissions of api and add permission.

• Add a client secret in Postman app.

• Create a new Environment with unique name and add variables, Initial values and current values as shown in the below images .

• Replace the values of productAPiURl of Django API ,callbackurl,clientid,tenantld,scope and clientSecret.

• Create a new request and select the Auth Type as OAuth 2.0 .

• Change Callback URL ,Auth URL ,Access Token URL ,Client ID ,Client Secret ,Scope and State with Postman app details

  Callback URL:  {{callbackUrl}}
  Auth URL:  https://login.microsoftonline.com/{{tenantid}}/oauth2/v2.0/authorize
  Token URL : https://login.microsoftonline.com/{{tenantid}}/oauth2/v2.0/token
  Client ID :  {{clientId}}
  Client Secret :  {{clientSecret}}
  Scope:  {{scope}}

• Click on Get New Acccess token to sign in and genereate the new token.

• Use the token in headers as key name with Authorization .

Replace the Django API Url and send the request.