Incomplete bearer token when using authentication-managed-identity tag in azure api management

Question

I've been trying to expose an API through azure API Management and I can't figure out what I'm doing wrong. Here's the situation:

• My API is going to be called from an external application

• They don't have an Azure Account in the same tenant

• I want to enable external calls for my API by just using a subscription key (hence, why I'm using API Management), but also want to keep my actual API secured with Azure AD.

• I have an API which is secured with Azure AD using OAuth2 and published into a Windows AppService

• I have an App registration for that API, which i use to authenticate (it works from postman, for example) app registration

• I have Managed Identities turned on and permissions set.

• I have added the API in API management

• I added the authentication-managed-identity inbound rule, used the API Id Uri of the app registration as the resource value for it. Api Management Config

• When testing an endpoint from the APIM interface, I can successfully get a bearer token, but I get a 500 exception from the API which says: Neither scope or roles claim was found in the bearer token bearer response

• Here is the decoded bearer token, it doesn't have a scp attribute bearer decoded

I'm not sure where I can specify a scope. If I use the full scope uri (api://guid/access.api.management) it will fail when trying to get a bearer token (The resource principal named api://guid/access.api.management was not found in the tenant). I've even tried adding the Owner role to the APIM Identity for the AppService.

Maybe I'm not using this correctly, I'm pretty new at using Azure cloud and API Management so any suggestions are welcome. Thanks.

Answer 1

You have expose an api protected by Azure, and currently you have an api application . Next, you need to create another application that represents the client, and then add the client application to the api application.

Next, go to the client application .

• Under 'API permissions' click on 'Add permission', then click on the ' My APIs ' tab.
• Find your api application and select the appropriate scope.
• Click 'Add permissions'.
• Grant admin consent for your APIs.

Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

1.Request an authorization code in the browser.

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345

2.Redeem token.

Parse the token：

Answer 2

I managed to get it working using the client credentials flow and storing the client secret in key vault.