Skip to content

Commit 9f1d65e

Browse files
rickijenrickijen
authored
Added steps to integrate Azure AD to protect API
Enabling Azure AD OAuth2 Auth Code Grant flow to protect Claims API.
1 parent 8f3a711 commit 9f1d65e

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

extensions/azure-stack-edge/README.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,27 @@ At this point, we have successfully deployed Claims API to the ASE. In the follo
6161
18. Examin the APIM gateway metrics:
6262
![image](https://user-images.githubusercontent.com/15071173/123029833-96978680-d396-11eb-84ff-cd41bdb20b39.png)
6363

64+
In the following steps, we will [**integrate Azure AD to protect the Claims API**](https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad) on Azure Stack Edge.
65+
66+
19. [Create an App Registration](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis) in Azure AD to represent the **Claims web API**. On the app Overview page, find the **Application (client) ID** value and record it for later.
67+
![image](https://user-images.githubusercontent.com/15071173/124045995-cb729180-d9c5-11eb-99d4-840c6717c4b5.png)
68+
Expose the API and define a scope. Take a note of the scope.
69+
![image](https://user-images.githubusercontent.com/15071173/124046272-6a978900-d9c6-11eb-81f2-3a8b56b34055.png)
70+
20. Register another application in Azure AD to represent **a client application (in this example, Postman)**. Add client secret.
71+
![image](https://user-images.githubusercontent.com/15071173/124046527-0628f980-d9c7-11eb-9c7c-fe461a9fd031.png)
72+
Add Redirect URIs.
73+
![image](https://user-images.githubusercontent.com/15071173/124046732-7df72400-d9c7-11eb-8408-eaa564283403.png)
74+
21. Grant permissions in Azure AD so the client app can access the Claims API. **Optionally**, grant admin consent if you have permissions. Otherwise user consent will be granted later.
75+
![image](https://user-images.githubusercontent.com/15071173/124046900-d5958f80-d9c7-11eb-81c6-6cdc717ea6e4.png)
76+
22. Enable OAuth 2.0 user authorization for the APIM instance in Azure Portal.
77+
![image](https://user-images.githubusercontent.com/15071173/124047452-16da6f00-d9c9-11eb-98ac-2081f1a6871e.png)
78+
23. Configure a JWT validation policy for the APIM to pre-authorize requests before passing them to Claims API.
79+
![image](https://user-images.githubusercontent.com/15071173/124048089-679e9780-d9ca-11eb-9558-1e3e102695dc.png)
80+
24. Configure [OAuth2 Auth Code Grant](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) and obtain a JWT token while submitting request to Claims API.
81+
![image](https://user-images.githubusercontent.com/15071173/124047199-7421f080-d9c8-11eb-95df-922604ce6986.png)
82+
25. Verify the response. It should be the same as in step 17 above.
83+
84+
6485
**Notes**:
6586
* Since we are using the edge container registry (ECR) instead of ACR, we will need to create imagePullSecret on k8s to store the ECR credential "**regcred**", see below:
6687
```bash

0 commit comments

Comments
 (0)