Use AAD and OAuth 2.0 to access the API managed by azure APIM

###### tags: `Doc` `OAuth2.0` `API Management` # Use AAD and OAuth 2.0 to access the API managed by azure APIM Completed offical document : [Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD](https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad) ## Setting App Registration - New an app in AAD - Navigate to **Expose an API** to **Add a scope** (Scope setting would be required at using v2 endpoint) ![](https://i.imgur.com/Dzh7Mok.png) - Navigate to **Authentication** and set the **Redirect URIs** (Redirct to APIM developer portal when access success) ![](https://i.imgur.com/sCRbWuS.png) * get redirect url from **APIM > OAuth2.0 + OpenID connect > OAuth 2.0 > {OAuth name} > Redirect URI** ![](https://i.imgur.com/5k8O5XA.png) - Enable **Access tokens (used for implicit flows)** from **Authentication** ![](https://i.imgur.com/pbDFy8y.png) - *(Not necessary)* Navigate to **Mainfest** and modify "accessTokenAcceptedVersion" from "null" to "2" ![](https://i.imgur.com/WHZOLSV.png) ## Setting APIs - Add default scope got from app registration ![](https://i.imgur.com/BcHNVpS.png) - Client registration page URL and Authorization grant types ![](https://i.imgur.com/hC0lwJA.png) ## Setting APIs policy https://docs.microsoft.com/en-us/azure/api-management/set-edit-policies - Add code as below to policy inbound section ``` <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid."> <openid-config url="https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration" /> <required-claims> <claim name="aud"> <value>{client-id}</value> </claim> </required-claims> </validate-jwt> ``` ![](https://i.imgur.com/qoEVmAG.png) ## Reference - [AADSTS900144: The request body must contain the following parameter: 'scope' when using legacy Developer Portal](https://stackoverflow.com/questions/59826328/aadsts900144-the-request-body-must-contain-the-following-parameter-scope-whe) - [Redirect URl error while authecating API with Oauth 2.0 in APIM developer portal:AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'APP reg ID'.](https://docs.microsoft.com/en-us/answers/questions/39799/redirect-url-error-while-authecating-api-with-oaut.html) - [API Management access restriction policies](https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)