Securing Back end services in Azure API Management using OAuth2 Client Credentials flow

Question

I have deployed a .NET Core Web API and provided access through Azure API Management. I now wish to secure the back end using OAuth2 Client Credentials flow.

I have added Azure AD Authentication as follows:

services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
                .AddAzureADBearer(options =>
                {
                    Configuration.Bind("AzureAd", options);
                });

I have created an App Registration and Client Secret in Azure AD and confirmed it is working by creating a token using the code below and calling the API.

var clientCred = new ClientCredential(clientId, clientSecret);

            var result = await authContext.AcquireTokenAsync(resource, clientCred);

            return result.AccessToken;

Is it possible to use this flow in Azure API Management? I would like Azure API Management to handle acquiring the token and passing in the header.

The closest I have found is the following article but this seems to involve the consumer of the API passing headers which seems to defeat the point of the API Management subscription functionality

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

Answer 1

At the moment the only way to do that at APIM side is to use send-request policy to do OAuth flow. That will require you to give APIM client id and secret, but you could use named values to store those securely.