Skip to content

Configure a Azure AD as a Key Manager

WSO2 API Manager supports multiple Key Managers. As a result, WSO2 API Manager is prepacked with an inbuilt resident Key Manager and with the use of connectors it is capable of supporting any authorization server as a Key Manager.

Therefore, WSO2 API Manager can connect Azure AD out-of-the-box using the WSO2 API-M KM Azure AD Connector.

Follow the instructions given below to configure AzureAD as a third-party Key Manager.

Configure AzureAD

  1. Create An Azure account that has an active subscription. Create an account for free.

  2. The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:

    • Application administrator
    • Application developer
    • Cloud application administrator

This will complete the Set up a tenant quickstart.

Step 1 - Create Application

  1. Visit Azure Home.
  2. Navigate to Microsoft Entra ID.
  3. Navigate to App Registration.
  4. Navigate to New registration, Give a name (Ex : KeyManger Client) and Click Register.

Step 2 - Create secrets

  1. Navigate to Certificates & secrets>Client secrets>New client secret.
  2. Fill the form with relevant information and give Custom as the value for Expire.
  3. Make sure to copy the secret, it only shows once.

Step 3 - Configured permissions

  1. Navigate to API Permissions.
  2. Click Add a permissions.
  3. Select APIs my organization uses.
  4. Select Microsoft Graph from the list.
  5. Click on Application permissions.
  6. Expand Application and check
    • Application.Read.All
    • Application.ReadWrite.All
    • Application.ReadWrite.OwnedBy
  7. Click Add permissions.
  8. Click Grant admin consent for Default Directory.

Ensure that the newly added permissions display a green checkmark to indicate successful configuration.

Azure AD Permission

Step 4 - Copy Application Details

  1. Navigate to Microsoft Entra ID.
  2. Click on 'Endpoints' and Note down
    • OAuth 2.0 token endpoint (v2.0)
      e.g. https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
    • OpenID Connect metadata document (v2.0)
      e.g. https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
    • Microsoft Graph API endpoint
      e.g. https://graph.microsoft.com
  3. Under Owned applications click on the newly created application.
  4. Copy the Application (client) ID.

Configure API manager

Start the API Manager server and log-in to the Admin portal to configure Azure AD as a Key Manager.

Step 1 - Configure Key Manager

  1. Click on Key Managers from the side panel and then click Add Key Manager.
  2. Fill the following
    • Name: AzureAD
    • Display Name: Azure AD Key Manager
    • Description (optional)
  3. Select the Key manager type as Azure AD and provide the relevant details in the Key Manager Endpoints section.

    Configuration Instruction
    Well-known URL Paste the OpenID Connect metadata document (v2.0) URL collected from the endpoints and click on Import
    Issuer The issuer that consumes or validates access tokens.
    Example:
    https://login.microsoftonline.com/{tenent-id}/v2.0
    Mandatory
    Client Registration Endpoint Paste the Microsoft Graph API endpoint Mandatory
    Introspection Endpoint Paste the OAuth 2.0 token endpoint (v2) URL (token introspection is not supported in Azure AD) Mandatory
    Token Endpoint Paste the OAuth 2.0 token endpoint (v2) URL Mandatory
    Display Token Endpoint Paste the OAuth 2.0 token endpoint (v2) URL Optional
    Revoke Endpoint Paste the OAuth 2.0 token endpoint (v2) URL (token revocation is not supported in Azure AD) Mandatory
    Display Revoke Endpoint Paste the OAuth 2.0 token endpoint (v2) URL Optional
    Userinfo Endpoint The endpoint that allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user.
    Example:
    https://graph.microsoft.com/oidc/userinfo
    Mandatory
    Authorize Endpoint The endpoint is used to obtain an authorization grant from the resource owner via the user-agent redirection.
    Example:
    https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
    Optional
    Scope Management Endpoint The endpoint is used to manage the scopes. Mandatory

  4. Fill the Consumer Key Claim URI: appid in the Claim URIs section.

  5. Set the Grant Types: client_credentials (Only use this grant type).
  6. Provide the relevant details in the Connector Configurations section.
    Configuration Instruction
    Microsoft Graph API Endpoint Paste the Microsoft Graph API endpoint
    Mandatory
    Microsoft Graph API Endpoint Version Select the checkbox for v1.0 Mandatory
    Client ID Paste the Application (client) ID Mandatory
    Client Secret Paste the client secret value that is generated Mandatory
  7. Set the Permissions:
    • Key Manager Permission: Permission type for role-based Key Manager restriction.
      e.g., PUBLIC, ALLOW, DENY (Optional)
  8. Click on Add.

Step 2 - Create an Application & Generate Keys

  1. Click on Add New Application.
  2. Fill the required information and click on Add.
  3. Once created, navigate to the Production Keys section of that Application.
  4. Select the Azure AD Key Manager and click on Generate Keys.

Troubleshooting Invalid Credentials Error

If you encounter the following error message when using a token generated by the Key Manager to invoke an API deployed in APIM:

{
  "code": "900901",
  "message": "Invalid Credentials",
  "description": "Access failure for API: /exampleapi/1.0.0, version: 1.0.0 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials."
}
Please verify that the iss (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. If there is a difference, update the issuer in the Key Manager Endpoints section to align with the iss value present in the token.

Post checks

Under App registration there should be a newly created application. The value should be

     `api://<Application (client) ID>`

We can also get this value by clicking the set link right next to the label. Default value is what we will see above.

Without this in the app, the token will be generate in a version 1 format and will not work with APIM KM due to failed signature.

Update the client_password

Update password is not supported by providing new one from the APIM. When ever the application is updated via APIM a new client_secret is set.

Failed to add password. Error detail: Unable to save changes because the credential limit has been reached. Please delete a credential and try again.

If you see this message in logs or while updating the application several times, The issue is with limitation with Azure AD client_secret. At a given application max number of client_secrets can have is 2. Delete old one from AzureAD console web client.

Adding existing key with APIM

With the limitation on getting generated client_secrets after its generated, it not support to add existing keys from APIM.