Configure a Azure AD as a Key Manager¶
WSO2 API Manager supports multiple Key Managers. As a result, WSO2 API Manager is prepacked with an inbuilt resident Key Manager and with the use of connectors it is capable of supporting any authorization server as a Key Manager.
Therefore, WSO2 API Manager can connect Azure AD out-of-the-box using the WSO2 API-M KM Azure AD Connector.
Follow the instructions given below to configure AzureAD as a third-party Key Manager.
Info
For more information, see the Getting Started Guide, which is under the official Azure Entra ID documentation.
Configure AzureAD¶
-
Create An Azure account that has an active subscription. Create an account for free.
-
The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:
- Application administrator
- Application developer
- Cloud application administrator
This will complete the Set up a tenant quickstart.
Step 1 - Create Application¶
- Visit Azure Home.
- Navigate to Microsoft Entra ID.
- Navigate to App Registration.
- Navigate to New registration, Give a name
(Ex : KeyManger Client)
and Click Register.
Step 2 - Create secrets¶
- Navigate to
Certificates & secrets
>Client secrets
>New client secret
. - Fill the form with relevant information and give
Custom
as the value for Expire. - Make sure to copy the secret, it only shows once.
Step 3 - Configured permissions¶
- Navigate to
API Permissions
. - Click
Add a permissions
. - Select
APIs my organization uses
. - Select
Microsoft Graph
from the list. - Click on
Application permissions
. - Expand
Application
and check- Application.Read.All
- Application.ReadWrite.All
- Application.ReadWrite.OwnedBy
- Click
Add permissions
. - Click
Grant admin consent for Default Directory
.
Ensure that the newly added permissions display a green checkmark to indicate successful configuration.
Step 4 - Copy Application Details¶
- Navigate to Microsoft Entra ID.
- Click on 'Endpoints' and Note down
- OAuth 2.0 token endpoint (v2.0)
e.g.
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
- OpenID Connect metadata document (v2.0)
e.g.
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
- Microsoft Graph API endpoint
e.g.
https://graph.microsoft.com
- OAuth 2.0 token endpoint (v2.0)
e.g.
- Under
Owned applications
click on the newly created application. - Copy the Application (client) ID.
Configure API manager¶
Start the API Manager server and log-in to the Admin portal to configure Azure AD as a Key Manager.
Step 1 - Configure Key Manager¶
- Click on
Key Managers
from the side panel and then clickAdd Key Manager
. - Fill the following
- Name:
AzureAD
- Display Name:
Azure AD Key Manager
- Description (optional)
- Name:
-
Select the Key manager type as
Azure AD
and provide the relevant details in theKey Manager Endpoints
section.Configuration Instruction Well-known URL Paste the OpenID Connect metadata document (v2.0)
URL collected from the endpoints and click onImport
Issuer The issuer that consumes or validates access tokens.
Example:
https://login.microsoftonline.com/{tenent-id}/v2.0Mandatory Client Registration Endpoint Paste the Microsoft Graph API endpoint
Mandatory Introspection Endpoint Paste the OAuth 2.0 token endpoint (v2) URL (token introspection is not supported in Azure AD) Mandatory Token Endpoint Paste the OAuth 2.0 token endpoint (v2) URL Mandatory Display Token Endpoint Paste the OAuth 2.0 token endpoint (v2) URL Optional Revoke Endpoint Paste the OAuth 2.0 token endpoint (v2) URL (token revocation is not supported in Azure AD) Mandatory Display Revoke Endpoint Paste the OAuth 2.0 token endpoint (v2) URL Optional Userinfo Endpoint The endpoint that allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user.
Example:
https://graph.microsoft.com/oidc/userinfoMandatory Authorize Endpoint The endpoint is used to obtain an authorization grant from the resource owner via the user-agent redirection.
Example:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorizeOptional Scope Management Endpoint The endpoint is used to manage the scopes. Mandatory -
Fill the Consumer Key Claim URI:
appid
in theClaim URIs
section. - Set the Grant Types:
client_credentials
(Only use this grant type). - Provide the relevant details in the
Connector Configurations
section.Configuration Instruction Microsoft Graph API Endpoint Paste the Microsoft Graph API endpoint
Mandatory Microsoft Graph API Endpoint Version Select the checkbox for v1.0
Mandatory Client ID Paste the Application (client) ID
Mandatory Client Secret Paste the client secret value that is generated Mandatory - Set the Permissions:
- Key Manager Permission: Permission type for role-based Key Manager restriction.
e.g.,PUBLIC
,ALLOW
,DENY
(Optional)
- Key Manager Permission: Permission type for role-based Key Manager restriction.
- Click on
Add
.
Step 2 - Create an Application & Generate Keys¶
- Click on
Add New Application
. - Fill the required information and click on
Add
. - Once created, navigate to the
Production Keys
section of that Application. - Select the
Azure AD Key Manager
and click onGenerate Keys
.
Troubleshooting Invalid Credentials Error
If you encounter the following error message when using a token generated by the Key Manager to invoke an API deployed in APIM:
{
"code": "900901",
"message": "Invalid Credentials",
"description": "Access failure for API: /exampleapi/1.0.0, version: 1.0.0 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials."
}
iss
(issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. If there is a difference, update the issuer in the Key Manager Endpoints section to align with the iss
value present in the token.
Post checks¶
Under App registration there should be a newly created application. The value should be
`api://<Application (client) ID>`
We can also get this value by clicking the set
link right next to the label. Default value is what we will see above.
Without this in the app, the token will be generate in a version 1 format and will not work with APIM KM due to failed signature.
Update the client_password¶
Update password is not supported by providing new one from the APIM. When ever the application is updated via APIM a new client_secret
is set.
Failed to add password. Error detail: Unable to save changes because the credential limit has been reached. Please delete a credential and try again.
If you see this message in logs or while updating the application several times, The issue is with limitation with Azure AD client_secret
. At a given application max number of client_secrets can have is 2. Delete old one from AzureAD console web client.
Adding existing key with APIM¶
With the limitation on getting generated client_secrets
after its generated, it not support to add existing keys from APIM.