Integrate with Azure API Management

Integrate with Azure API Management

Before you start

You'll need a Microsoft account with access to the Azure Portal.

The Azure API Management service allows you to create new APIs or import existing API definitions and publish them for use by the approved audiences. Auth0 makes authorizing users of your API (using OAuth 2.0 standards) easy.

In this tutorial, you'll learn how to use Auth0 to authenticate and authorize users when they access a Basic Calculator API managed by Azure API Management.

Configure Auth0

Create an API

You'll need to create an API in Auth0 to represent the API managed by the Azure API Management Service. To learn more, read Register APIs.

  1. Navigate to Auth0 Dashboard > Applications > APIs, and select Create API.

  2. Set the following parameters:

    Field Value
    Name Basic Calculator
    Identifier basic-calculator
    Signing Algorithm RS256

  3. Select Create.

Create a Regular Web Application

You'll need to create a Regular Web Application (RWA) in Auth0 to communicate with the OAuth 2.0 authorization server in Azure:

  1. Navigate to Auth0 Dashboard > Applications > Applications, and select the Create Application button.

  2. Enter a Name for your application, and select Regular Web Applications for the application type.

Create and enable a connection

You'll need to create a connection in Auth0 and enable it for your application:

  1. Navigate to Auth0 Dashboard > Authentication > Database, and select Create DB Connection.

  2. Enter a Name for your connection. We suggest choosing a name that reflects the source of users (such as Facebook for a Connection that contains users using their Facebook credentials or site-sign-ups for a database connection where users sign up on your site).

  3. Select Create.

  4. Navigate to your connection's Settings page.

  5. Switch to the Applications view, where you'll see a list of all the applications on your tenant.

  6. Toggle the application you created previously to enable it for the connection.

Create a user

You'll need to have at least one user on your connection to test authentication and authorization. If you do not have an existing set of users for the connection, you can create one manually:

  1. Navigate to Auth0 Dashboard > User Management > Users, and select Create User.

  2. Enter an Email and Password, and select the connection you created in Step 3 for the Connection field.

  3. Select Create.

Configure Azure

Create Azure API Management Service

You'll need to create an API Management Service instance in Azure to manage your API:

  1. In the navigation bar, select Create a resource.

  2. Once redirected, select Web > API Management.

  3. Provide the following configuration variables:

    Parameter Description
    Name The name for your service (which will also be used to create the URL you need to access the service)
    Subscription The Azure subscription plan with which you'll use with the service
    Resource group The collection of resources sharing a lifecycle, permissions, and policies. You can use an existing resource group or you can create a new one (you'll need to provide a name for the group if you create a new one)
    Location Choose the location that services your API instance
    Organization name The name of your organization
    Administrator email The email address of the person who will be administering this instance
    Pricing tier The pricing tier you want, which determines the number of calls you can make to your API, as well as the maximum amount of data transfer allowed. You must opt for the Developer plan or higher; the Consumption plan does not offer sufficient functionality for this integration to work.

  4. Select Create to begin provisioning your service (this may take up to 15 minutes to complete).

Import the sample API

For this tutorial, we will be importing and using the Basic Calculator API provided by Microsoft. For detailed instructions, see Import and Publish Your First API from Microsoft.

When done, select Create to import your API. You'll be redirected to the summary page for your API when it's fully imported.

Configure an OAuth 2.0 authorization server

To use Auth0 to secure your Azure API, you'll need to register Auth0 as an OAuth 2.0 authorization server:

  1. Find the OAuth 2.0 + OpenID Connect area of your API Management service instance near the navigation bar. Select OAuth 2.0, and then select Add.

  2. Go to the Add OAuth2 service configuration screen, and select the Authorization Code grant type.

  3. Set the following parameters:

    Parameter Description
    Display name Enter a descriptive name for your authorization server, such as Auth0.
    Id This field should auto-populate based on the display name you provide.
    Description Enter a description for your authorization server, such as Auth0 API Authentication.
    Client registration page URL Enterhttps://placeholder.contoso.com as a placeholder.
    Authorization code grant types Select Authorization code.
    Authorization endpoint URL Refer to your tenant's OIDC Discovery endpoint and append the audience parameter. For example: https://YOUR_DOMAIN/authorize?audience={API_AUDIENCE}.
    Authorization request method Default is GET.
    Token endpoint URL Refer to your tenant's OIDC Discovery endpoint .
    Client authentication methods Select Basic.
    Access Token sending method Select Authorization header.
    Default scope Specify a default scope , if required.

  4. Under the Client Credentials section, enter your Auth0 applications client ID in the Client ID field and client secret in the Client secret field.

  5. Switch to the Redirect URI view, and copy the URI value in the Authorization code flow grant field.

  6. Select Create.

Configure Azure API to use Auth0

After you've created your OAuth 2.0 authorization server in Azure, you'll need to update your Azure API to use Auth0 for user authorization:

  1. Under the APIs section in the navigation, select APIs.

  2. Select the Basic Calculator API, and go to the Design view.

  3. Switch to the Settings view.

  4. Navigate to the Security section, and select OAuth 2.0 under User Authorization.

  5. Select the server you configured in the previous step for the Authorization Server field.

  6. Click Save.

Set the Allowed Callback URL in Auth0

After your Azure API is provisioned and configured to use Auth0 for user authorization, you'll need to update your Auth0 application:

  1. Navigate to Auth0 Dashboard > Applications > Applications.

  2. Select your application, and switch to the Settings view.

  3. Enter the Redirect URI you copied previously into the Allowed Callback URLs field.

  4. Click Save.

Test the integration

In to the Azure Portal, open up your instance of the API Management Service.

  1. Select Developer Console to launch the developer-facing side of your APIs.

  2. Go to APIs > Basic Calculator. This opens up to the page where you can make a GET call that allows you to add two integers.

  3. Select Try It. This will bring up the page where you can provide the parameters for your call.

  4. Navigate to the Authorization section, and select Authorization Code (next to the Auth0 field).

  5. A popup window will appear with the Auth0 login widget (if it doesn't, ensure that any pop-up blockers are disabled for your browser). Enter the credentials for the Auth0 user you created in Step 4, and log in.

  6. If you were able to successfully log in, a message will appear with the expiration date of the access token you can use to call your API.

  7. Navigate to the bottom, and select Send. If the request is successful, you'll see a message containing the HTTP 200 response at the bottom of the page.

Configure a JWT validation policy for Access Tokens

In the previous step, the user is prompted to sign in when they try to make a call from the Developer Console. The Developer Console attempts to obtain an Access Token on behalf of the user to be included in the API request. All Access Tokens will be passed to the API via the Authorization header.

If you want to validate the Access Token included with each request, you can do so by using the Validate JWT policy. Please refer to Microsoft's documentation on setting an API Management policy.