Secure API in Azure API Management using OKTA Identity management
OKTA provides authorization server to manage identity of user. We can use OKTA to manage user identity over our web application.
In This article I will describe how to use OKTA to secure API in Azure API Management
Create API Management
Create API Management in Azure Portal . It will take 45 Minutes to active API Management
Import API into API Management
You can use your own API as backend service. I am using Microsoft Conference API as a demo
For Testing you can import Conference API
https://conferenceapi.azurewebsites.net?format=json
Now you can test your api using url https://mycompany.azure-api.net/sessions
The API is now secure and can be accessed without any credential and Token .
Now we have to secure our API with OKTA Identity Authorization Server.
Create New Application in OKTA developer portal
Create new application in OKTA Developer portal to represent client application or API .
Allow Grant Type as Client credential and Authorization code both.
Application show be able to access using Client Credential and Authorization Code
Copy Client Secret and Client ID
Secure API Developer Portal:
Azure provides API Developer Portal for API Documentation. Developer can perform tests and see request and response over the Portal.
Register OKTA Authorisation server as O-Auth 2.0 Service
Copy the Redirect_uri and paste to OKTA Application
Copy the Redirect_uri and paste to OKTA Application
Secure Developer portal with O-Auth 2.0
Test Developer Portal
For Securing API specify JWT Validation Policy:
Now for securing API we have include JWT Validation Policy at API Level
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid."><openid-config url="https://dev-374027.okta.com/oauth2/default/.well-known/oauth-authorization-server" /><required-claims><claim name="aud" match="any"></claim></required-claims></validate-jwt>
Test your API :
When you call API without authorization Token it will give error
Fetch Token from OKTA auth server
For using grant type as client_Credential we must create a scope
Fetch Token