I was working on a Web API and published the API to Azure App Service. I then enabled authentication and authorization using Azure Active Directory. Postman is a great tool to test REST APIs, however, it was bit tricky to setup OAuth 2.0 to test the API. I am outlining steps here to set up OAuth 2.0 and use Postman correctly to test Web API on Azure. Check out the OAuth 2.0 Authorization Framework to know basics about OAuth 2.0 Authentication/Authorization framework.
Setup OAuth 2.0
The first step is to make sure OAuth 2.0 is setup correctly for your API. To set it up follow the below steps:
- Go to the Azure Active Directory on Azure Portal and select New application registration under App registrations as shown below:
- Enter API name, API type as Web App / API and sign-on URL on following screen. Sign-on URL is your API URL
- Once you hit Create, Your API app will be registered, come back to App Registrations and you should see now your API registered along with a unique application ID. This application Id will be used as resource id and client id when doing OAuth 2.0 authentication.
Configure OAuth 2.0 with Postman
- Under the Authorization Tab, Select Type as OAuth 2.0 and click “Get New Access Token” as shown below:
- Once you click “Get New Access Token” following screen will appear:
Here are all the parameter details to request the token successfully:
Give any name for your reference to your token, You could see all the tokens later under Manage Token options.
Select Authorization Code, to know about each of the grant type, refer to link https://tools.ietf.org/html/rfc6749#page-8
Callback URL for an API app is the same as API address. You can also check this URL on azure portal. Azure Active Directory -> App Registration -> App Settings-> Reply URL
Auth. URL and Access Token URL
These URL are the Microsoft Authorization server URL and can be found on portal. Go to your Azure Active Directory -> App Registration -> Endpoints
- Copy OAuth2.0 Authorization Token, it should be something like https://login.microsoftonline.com/%5Btenant id]/oauth2/authorize
- Copy Oauth2.0 Token Endpoint https://login.microsoftonline.com/%5Btenant id]/oauth2/token
Note: tenant id is a unique id for your azure active directory. You can also get this id from Azure Active Directory -> Properties -> Directory id
Note: Add a resource parameter to Authorization URL. After the change, authorization URL should look like https://login.microsoftonline.com/[tenant id]/oauth2/authorize?resource=<Application ID> (Application ID is the unique id of your registered web API, you setup in step 1
Client Id is the application Id of registered web api and is same as resource id.
Client secret needs to be generated on Azure Portal. Go to Azure Active Directory->App Registration -> Select Registered App -> Settings -> Keys to add a new key to get client secret for the web API app as shown below:
- Description: enter key name
- Expires: Select the duration of key expiry. You have option to set 1 year, 2 year or never expires.
- Value: Any text, once you enter any text and text is converted to a key, copy it and save it as it is only shown once and then save the Key and use this key value as client_secret.
Scope is not a required parameter and can be left blank.
State is a key from the client and it can be any unique key you want. The same key is returned in response to make sure access token is returned to same client who requested it.
Select Send as Basic Auth. Header
After providing all parameter values, click on Request Token, it will prompt Microsoft Login screen to enter credentials. Use any account which is part of your Azure Active Directory user info and grant access, once completed you will get the access token window showing the returned access token with all other info. Scroll down the screen and click “Use Token”. After closing the screen, click on “preview request” which adds the Authorization Headers to the request.
The issues I encountered when trying to create new access token:
AADSTS70002: The request body must contain the following parameter: ‘client_secret or client_assertion’.
Make sure, you provide a client_secret before requesting for access token
AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
This error comes when supplied client_secret is not same as configured on portal, or client_secret is not configured. Make sure you supply a valid client_secret
AADSTS50001: Resource identifier is not provided.
This error was the most mysterious one and was difficult to find the root cause of it, because, postman does not give any specific parameter to supply resource and I was supplying Auth. URL without resource parameter. The resolution was to provide resource parameter as part of Auth. URL as described above in step 2.
If resource parameter value supplied as part of Auth. URL is not same as expected, then this error is returned. I initially provided resource parameter value as API url as described at many resources found online, and I got this error. I then change the resource value as Application ID of the Web API as described above in step 2 and it worked fine.