Secure API in Azure API Management using OKTA Identity management

Mohit Gupta
Jan 10 · 3 min read

OKTA provides authorization server to manage identity of user. We can use OKTA to manage user identity over our web application.

In This article I will describe how to use OKTA to secure API in Azure API Management

Create API Management

Create API Management in Azure Portal . It will take 45 Minutes to active API Management

Import API into API Management

You can use your own API as backend service. I am using Microsoft Conference API as a demo

For Testing you can import Conference API

https://conferenceapi.azurewebsites.net?format=json

Now you can test your api using url https://mycompany.azure-api.net/sessions

The API is now secure and can be accessed without any credential and Token .

Now we have to secure our API with OKTA Identity Authorization Server.

Create New Application in OKTA developer portal

Create new application in OKTA Developer portal to represent client application or API .

Allow Grant Type as Client credential and Authorization code both.

Application show be able to access using Client Credential and Authorization Code

Copy Client Secret and Client ID

Secure API Developer Portal:

Azure provides API Developer Portal for API Documentation. Developer can perform tests and see request and response over the Portal.

Register OKTA Authorisation server as O-Auth 2.0 Service

Copy the Redirect_uri and paste to OKTA Application

Copy the Redirect_uri and paste to OKTA Application

Secure Developer portal with O-Auth 2.0

Test Developer Portal

For Securing API specify JWT Validation Policy:

Now for securing API we have include JWT Validation Policy at API Level

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">

Test your API :

When you call API without authorization Token it will give error

Fetch Token from OKTA auth server

For using grant type as client_Credential we must create a scope

Fetch Token

AzureDiary

All about Azure

Mohit Gupta

Written by

Integration Developer works on Azure , DevOps , BizTalk. Contact : mohit.e.gupta@gmail.com

AzureDiary

All about Azure

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade