It seems that the current version requires backend-app to expose and API and add Scope, which is unfortunately not well documented (in regards of what it is an what is the purpose of this, as well as how to configure).
Additionally, this is actually across the Microsoft Azure products; the changes are frequent, but the documentation as well as the tutorial unable to cope, which make us developer difficult to implement, yet to propose of using the Microsoft Azure in general.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 823eb96f-e5f1-0832-b175-0b31009be92f
- Version Independent ID: 330085ae-dcf6-e930-86a8-0e4a60ab1314
- Content: Protect an API by using OAuth 2.0 with Azure Active Directory and API Management
- Content Source: articles/api-management/api-management-howto-protect-backend-with-aad.md
- Service: api-management
- GitHub Login: @miaojiang
- Microsoft Alias: apimpm
HairyPorker
All 8 comments
@HairyPorker Thank you for your feedback! We will review and provide an update as appropriate.
MohitVerma-MSFT
on 27 Jun 2019
Is there any tutorial how to get this done for clients / consumers who in real life will not use a developer portal for actually consuming the API, but code. A dialog prompt to authenticate token does not help. Say for use case, I want to call the API with Postman.
PinakiIT
on 5 Jul 2019
+1
The article also uses the App Registrations (Legacy), wich is not the current App Registrations version, this is specially important in steps 14 & 15 (Enable OAuth 2.0 user authorization in the Developer Console), since there is no "Settings" page in current App Registrations version (more info: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-registrations-training-guide)
asdlea
on 16 Jul 2019
@HairyPorker Apologies for the delay in response. I'll review and add the required steps as appropriate.
@asdlea This documentation was updated to reflect the new App Registration experience. Could you clarify which exact step is still referencing the legacy one?
@PinakiIT will provide a sample and relay your feedback to APIM team.
mike-urnun-msft
on 18 Jul 2019
These are the steps that I had to change in order to get this to work:
- In step 1 Register an application in Azure AD to represent the API, after creating the application registration and noting it's application id, choose Expose an API. Allow it to create an id for the API then add a scope named "Access.Apis" and allow users and admins to approve it. Add suitable descriptions for both admins and users. The exposed API/scope is needed so that you can complete step 3 in the document. Without it, you will not be able to find the registration to add permissions.
- In step 3, select the scope you created in step 1 for the delegated permissions.
- In step 4, omit the additional parameter resource. Add a default scope of openid.
- In step 4, substep 14/15 go to the App Registration corresponding to client-app. On the Overview tab, select Redirect Uris. Replace the contoso example url with the redirect_url from substep 12 and save your changes.
tvanfosson
on 31 Jul 2019
@mike-urnun-msft i'm sorry for the delay, I just forgot about this until @tvanfosson comment
I think he made it clear about what is outdated. It's probably just about putting a note about how one should add a scope prior to those steps.
Thank you!
asdlea
on 31 Jul 2019
Thanks @tvanfosson!
@miaojiang already has an open PR in the works that'll address all the missing pieces on this doc.
mike-urnun-msft
on 31 Jul 2019
Hi all - PR was merged on last Friday, Aug 2nd PST, and additional steps were added to clarify missing pieces.
We will now proceed to close this thread for now. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.
mike-urnun-msft
on 6 Aug 2019
Related issues
monteledwards
·
3Comments
ianpowell2017
·
3Comments
mrdfuse
·
3Comments
JeffLoo-ong
·
3Comments
Agazoth
·
3Comments