Azure API Management Integration

Good morning/afternoon.

I’ve been looking at this for a few hours now and have been struggling to make it work.

I’ve followed this tutorial : Integrate with Azure API Management.

Everything works, UNTIL I get to the very last step to verify it.

It says to open the developer portal and then go down to security to Authorization and choose the Auth2 setup (called Auth0), which is the implementation I’ve built based on the tutorial itself.

When I do that, a pop-up shows up and I can log in perfectly well, but then I receive the following error :

An error has occurred while authorizing access via Auth0 : access_denied Unauthorized

The closest I’ve found to this has been this (Management API, access_denied, Unauthorized) article in the community about someone trying to connect to the Auth0 Management API. The solution seems to be needing a token, which I did try even though I thought it shouldn’t be necessary, but it didn’t work either.

I would be very grateful if anyone could give me any advice to get me past this hurdle.

Thanks in advance,

Scott

Did you manage to get to the bottom of this? I’m having exactly the same issue at the moment.

I’m running into the same issue as well. Has anyone found a solution?

If you are following this tutorial:

The only thing that is hard to understand from the instructions is the Authorization URL.
This URL needs be fetched from the Machine to Machine app, under advanced settings.
Ex: https://{yourTenant}.eu.auth0.com/authorize

When setting the Azure APIM OAuth 2.0 config, you will add this URL, client ID, client secret etc.
This then is all appended to your URL when you are trying to log in, except for the audience.

So your Authrorization should look like this:
https://{yourTenant}.eu.auth0.com/authorize?audience={YourAPI audience}

To test this, go to the APIM developer portal, go to APIs (Hold CRLT + Click on the link), select an endpoint and “try it”, after that select the Auth0 as the provider, and the pop up from auth0 should show the name of the Machine to machine app

I figured this out.

The article is missing a couple of important items.

  1. In the Azure Portal for setting up the OAuth2.0 stuff there is a field named “Authorization endpoint URL”. You need to append the API audience like this: https://{your domain}.auth0.com/authorize?audience=https://{your audience url}.com This is important otherwise you won’t receive a valid JWT token (it’ll be some encrypted thingy in a wierd format with two consecutive dots in the middle)

  2. If you want to set the API Management policy for Validate JWT you need to at the very least set the “Open ID URLS” field. It’s not a required one so it’s confusing when you don’t set it and the validation fails. You can grab this URL from your machine-to-machine application under Advanced > OpenID Configuration


2 Likes

Thanks for sharing that with the rest of community!