Integrate oAuth2 and OpenIDConnect with C#.Net API and Azure APIM
Introduction
This blog describes how to secure APIs with APIM and oAuth and OIDC.
Prerequisites
- Azure API Management: To protect Azure FunctionApp. public access to Azure function endpoint is restricted. Can be called only from APIM.
- Azure EntraID: To register APIM backend and client app, in this case Postman.
- Azure FunctionApp: Simple Httptrigger with Get endpoint that returns a simple message.
- Postman or Bash: To test
Architecture
- Postman is a client app in this case. It requests a JWT access token from Azure Entra ID using app registration client id and client secret. This is OIDC.
- Azure Entra returns JWT access token.
- Postman makes a request to APIM endpoint with Bearer token in the Authorization header.
- APIM validates the token with Azure Entra ID.
- APIM returns success payload or 401 unauthorization error.
In your scenario, you are using OIDC to authenticate the user/application and obtain a JWT token. You are then using OAuth 2.0 to authorize the client to access the protected resource, which is the API via APIM.
Different oAuth Grant types
Description of Grant types
High level steps required to configure oAuth in Azure Entra
Register an app: oauth-apim-backend in Azure Entra to represent the protected APIM resource.
Register another application client-app: oauth-client-app in Azure Entra which represent postman that wants to access the protected APIM resource.
Configure API management as shown below.
Testing oAuth, OIDC and APIM 
References:
- https://www.youtube.com/watch?v=s724GgNUt1g
- https://www.youtube.com/watch?v=hzfpHvA5Wg0
- https://azure.github.io/apim-lab/apim-lab/7-security/security-7-2-1-oauth2-apim-integration.html
- https://techcommunity.microsoft.com/t5/azure-paas-blog/protect-api-s-using-oauth-2-0-in-apim/ba-p/2309538
- https://learn.microsoft.com/en-us/azure/api-management/authentication-authorization-overview
This post is licensed under CC BY 4.0 by the author.