---
# System prepended metadata

title: Use AAD and OAuth 2.0 to access the API managed by azure APIM
tags: [OAuth2.0, API Management, Doc]

---

###### tags: `Doc` `OAuth2.0` `API Management`
# Use AAD and OAuth 2.0 to access the API managed by azure APIM
Completed offical document : [Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD](https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad)
## Setting App Registration
- New an app in AAD
- Navigate to **Expose an API** to **Add a scope**
(Scope setting would be required at using v2 endpoint)
    ![](https://i.imgur.com/Dzh7Mok.png)
- Navigate to **Authentication** and set the **Redirect URIs**
(Redirct to APIM developer portal when access success)
    ![](https://i.imgur.com/sCRbWuS.png)
    * get redirect url from **APIM > OAuth2.0 + OpenID connect > OAuth 2.0 > {OAuth name} > Redirect URI**
    ![](https://i.imgur.com/5k8O5XA.png)

- Enable **Access tokens (used for implicit flows)** from **Authentication**
    ![](https://i.imgur.com/pbDFy8y.png)
- *(Not necessary)* Navigate to **Mainfest** and modify "accessTokenAcceptedVersion" from "null" to "2"
 ![](https://i.imgur.com/WHZOLSV.png)

## Setting APIs
- Add default scope got from app registration
    ![](https://i.imgur.com/BcHNVpS.png)
- Client registration page URL and Authorization grant types
    ![](https://i.imgur.com/hC0lwJA.png)



## Setting APIs policy
https://docs.microsoft.com/en-us/azure/api-management/set-edit-policies

- Add code as below to policy inbound section
    ```
            <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
            <openid-config url="https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>{client-id}</value>
                </claim>
            </required-claims>
        </validate-jwt>
    ```

    ![](https://i.imgur.com/qoEVmAG.png)

## Reference
- [AADSTS900144: The request body must contain the following parameter: 'scope' when using legacy Developer Portal](https://stackoverflow.com/questions/59826328/aadsts900144-the-request-body-must-contain-the-following-parameter-scope-whe)
- [Redirect URl error while authecating API with Oauth 2.0 in APIM developer portal:AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'APP reg ID'.](https://docs.microsoft.com/en-us/answers/questions/39799/redirect-url-error-while-authecating-api-with-oaut.html)

- [API Management access restriction policies](https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT)