DEV Community

Cover image for Testing Azure AD-protected API
Vimal
Vimal

Posted on • Edited on

Testing Azure AD-protected API

#authentication #microsoftentraid #security #appregistration

Testing an Azure AD–protected API involves obtaining a valid access token from Azure AD and then including that token in your API requests. Here's a step-by-step guide:

1. Register Applications in Azure AD (if not already done)

Two app registrations are required one representing the API and the other for the client application(frontend, postman) accessing the API.

Image description

For the API:
  • Create an app registration representing your API in Azure AD.
  • Expose the API by configuring scopes (permissions) in the 'Expose an API' section.
  • Authorize a client application that this API trusts in order to allow the client application and users to invoke this API. Add a trusted client using Add a client application option. This is usually the client Id representing the application that needs to access the API.

backendapp configuration

For the Client/Test App:
  • Register a separate client application (or use an existing one).
  • Under API permissions, add the API's scopes. Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process.
  • Under Certificates and Secrets create a new secret and save it. Also, save client ID and tenant ID from the Overview screen, we'll need them later for obtaining access token.

frontendappconfiguration

Note: If you are using Postman as a client, additionally the app registration representing postman should have the callback Uri configured appropriately. Under Manage > Authentication of the app registration configure the redirect Uri as https://oauth.pstmn.io/v1/callback.

Image description

For complete understanding and step-by-step instructions on App registration

2. Obtain an Access Token

You have several options to obtain an access token:

A. Using Postman's OAuth 2.0 Flow

1.In Postman, open the Authorization tab for your request.

  • Set Type to OAuth 2.0. 2.Click Get New Access Token and fill in the following:
  • Token Name: (e.g., "AzureADToken")
  • Grant Type: Authorization Code (for interactive login) or Client Credentials (for service-to-service scenarios)
  • Callback URL: https://oauth.pstmn.io/v1/callback
  • Auth URL: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/authorize
  • Access Token URL: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token
  • Client ID: Your client application's Application (client) ID
  • Client Secret: (if using client credentials or authorization code flow, provide secret)
  • Scope: Use your API's scope (e.g., api://{API_Client_ID}/.default or a specific scope you defined)
  • State: (optional)
  • Click Request Token and complete the login if prompted.
B. Using Command-Line Tools (cURL)

If you're using the client credentials flow, you can request a token via cURL:

curl -X POST https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id={`CLIENT_ID`}" \
-d "client_secret={`CLIENT_SECRET`}" \
-d "scope=api://{`API_Client_ID`}/.default" \
-d "grant_type=client_credentials"

Replace {TenantID}, {CLIENT_ID}, {CLIENT_SECRET}, and {API_Client_ID} with your values.
The response will include an "access_token" field.

3. Call the Protected API

Once you have the access token, call the API:

A. Using Postman
  1. In Postman, select your API request.
  2. In the Authorization tab, choose Bearer Token and paste the access token.
  3. Send the request.
  • If the token is valid and the user has proper permissions, the API should return the expected response.
  • Otherwise, you might see a 401 Unauthorized or 403 Forbidden error.
B. Using cURL

curl -X GET https://<your-api-url>/api/protected-endpoint \
-H "Authorization: Bearer <ACCESS_TOKEN>"

  • Replace<your-api-url> with your API's URL and <ACCESS_TOKEN> with the token you obtained from previous step.

4. Validate and Troubleshoot

  • Decode the Token:
    Use jwt.ms to decode your JWT token and verify the claims (like issuer, audience, scopes, expiration).

  • Check API Configuration:
    Ensure that your API's token validation parameters (Authority, Audience, etc.) match the token’s values.

  • Review Azure AD Permissions:
    Confirm that the client app has been granted the required permissions for the API.

Following these steps will help you test your Azure AD–protected API effectively. If you have any questions or run into issues, let me know!

Top comments (0)