Getting started with Windows Azure AD Authentication using Postman
At a certain point, I was in need of an access token for the OAuth authentication setup on Azure using the grant method.
I was trying to integrate the SQL Data Sync 2.0 API into our application.
This requires a valid Bearer token, it seems out getting this configured is not that trivial, since there’s lots of documentation, but I couldn’t find any guide.
So consider this to be a guide to obtaining an access token for the SQL Data Sync REST API. It should be applicable for other REST API calls as well.
Login to portal.azure.com and create an application.
This is required, since all authentication boils down to granting access to an application. An application can be anything; a web app, native app, a script. Anything you wish to consume the Azure REST API from.
So we login to the portal and create a new application.
The type should be web app / API, since this is the most applicable for a scripting scenarion.
The signon URL can be anything, for a C# app or an application it should not matter, so I chose a non-valid URL.
Our new application should be created:
Open the newly created app.
Now, we will launch Postman and start configuring our REST calls.
We will configure all variables that we need throughout the OAuth authentication process.
Click the gear icon next to the environment selection box in Postman and select ‘Manage Environments’.
Add a new environment and fill in the following variables:
subscriptionId
resourceGroupName
serverName
databaseName
apiVersion
appId
adId
authCode
appSecret
tempAccessToken
appIdUri
Click on Update or Save to save the environment.
Back to the Azure portal
We still need to gather more values for the variables, the appIdUri can be found in the application we just created.
The appId value is Application ID.
Next, setup the permissions required for this app.
Click Add to add a new permission to the app.
Select the Windows Azure Service Management API, we need this permission because eventually, we will access the SQL Data Sync API.
Select the delegated permission to access Azure Service Management as organisation users.
The last thing we need to do here is grant the permissions for all the accounts currently in the AD.
Click Yes to allow.
The last thing we need from the application blade, is a key. This can be acquired via the keys blade.
Add a new key, the name should be something you can relate to, like ‘KeyForScript1’.
The value will be visible once Save is clicked and only once! Copy this value and save as appSecret value in Postman.
We also need the current Azure AD ID, this can be found in the properties blade of the Azure Active Directory section.
Save this as the adId value in Postman.
The remainder of this post will address Postman to test out the Azure REST API.
Create a new request with the following URI;
https://login.microsoftonline.com/{{adId}}/oauth2/authorize?client_id={{appId}}&response_type=code&response_mode=query&prompt=admin_consent&resource_id={{appIdUri}}Make sure your environment is selected in Postman.
Execute the first request using GET.
We will need to use an actual browser in order to authenticate, there is no way to copy the request from postman, so we’ll need to manually stitch up the URL (or use Fiddler).
Replace all the variables (adId, appId, appIdUri) from the URL above and launch the result in a browser.
When opened, we’re asked to choose an account, choose one that is associated with the subscription you used to create the application with.
If the login is correct, you will be asked to grant permissions (admin_consent) for the application. Choose Accept.
You should see the message above, and if your URL starts with http://localhost:1234. Unless you have something locally running on that port, the above page will be displayed. This means the authentication has succeeded.
In the response URL, you will see code parameter, please copy this long value into postman for authCode.
Please keep in mind that these authentication codes can be volatile. So if the steps below do not work, consider obtaining a new authCode.
As part of OAuth, we now need to request an access_token, this token will have a longer lifespan (for as long as the key is valid). Or until you decide to logout. Either way, it is advised to refresh (or renew) your access token each time you launch your application/script/app/…
Create a new POST request in Postman.
https://login.microsoftonline.com/{{adId}}/oauth2/tokenThis time, we will need a request body containing all our variables.
The body should be encoded as form-data and should have the following keys:
grant_type : authorization_code
code : {{authCode}}
client_id : {{appId}}
client_secret : {{appSecret}}
resource : https://management.core.windows.net
Since all the required variables are defined in Postman, we can execute this POST request and get the response.
Success!
You’ve now authenticated with Azure AD using OAuth and have received an access_token which you can use for $$$-reasons.
Copy the value of the access_token into a the Postman variable tempAccessToken
Accessing the Azure REST API with your access_token
Although this is described countless times on the web, I will demonstrate how to use Postman to access the Azure REST API.
We will get the subscriptions for our user as a demo using Postman.
Create a new GET request and input the following URL.
https://management.azure.com/subscriptions?api-version=2017-08-01In the Headers section, add the following headers.
Content-Type : application/json
Authorization : Bearer {{tempAccessToken}}
This should return a JSON response containing all your Azure subscriptions.
Next, we will get the all sync members from a sync group using Azure SQL Data Sync.
Create a new GET request in Postman using the following URL.
https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.Sql/servers/{{serverName}}/Databases/{{databaseName}}/syncGroups/{{syncGroupName}}/syncMembers?api-version={{api-version}}Add the syncGroupName variable to Postman and give it the name of the sync group.
The response should include the members of the sync group.
You are now ready to leverage the SQL Data Sync REST API using Postman, or integrate it in your app/script/web app.
As for Postman, to avoid typing the Authorization header time after time, you can create a header preset.
After adding, you can apply the preset pretty easily.
Happy posting!
