Azure : “My first REST API Call”-tutorial

Introduction

For today’s post, we’re going to do a REST call towards an Azure API. For this we’re going to create a “Servce Principal” and afterwards use the credentials from this object to get an access token (via the Oauth2 Client Credentials Grant) for our API.

 

Protocol Flow

What’s the flow going to be?

  1. The application does a clients_credential call. Here it’ll provide ;
    1.  it’s application id as a client_id
    2. it’s secret as the client_secret
    3. choose “clients_credentials” as the grant_type
    4. set the “resource” to “https://management.azure.com”
  2. AAD will return an access token
  3. You can now call the API adding an additional header ;
    1. Header Name = Authorization
    2. Header Value = “Bearer *accesstoken*”
  4. The API will return a response

(Source : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service )

 

Now let’s see how that would look in reality?

 

Creating your Service Principal

First we’ll start off by creating our service principal. Look towards a service principal as a “daemon/system user”. For a more appropriate wording, check an earlier post… Anyhow, let’s go to “App Registrations” in our Azure Active Directory.

And create a new one…

Nothing fancy here…

Copy the “Application ID”, and save it. This is going to be your “client_id”.

And create a “Key”, which will be your “client_secret”. So please note that down as well!

 

Granting Rights

Now that we’ve created the service principal. Grant it the appropriate rights it needs for its job ;

In this case, I’ve added my SP with way too much rights… 😉

Finding the REST API

The tip of the day here is to navigate to https://resources.azure.com . This is the Azure Resource Explorer, which provides you with a detailed (and up-to-date!) view of the APIs for YOUR resources.

So for this Demo, I’ve navigated to a resources (B2C Directory) and copied the URL to get the object information.

 

Testing

Now let’s test! Do a post towards the following URI ;

https://login.microsoftonline.com/<tenant id>/oauth2/token

And add the following keys to the body (as mentioned at the start of the post ) ;

The response will include an access token. Copy this value… If you are very curious, you can even decrypt this via the following website ; http://jwt.ms/

For now, we’ll be using this access token as the authorization header for our REST API call. For this, add a header called “Authorization” and put “Bearer ” in front of your access token for the value.

And BOOOM! That’s it… 😉

 

Common Issue

A common issue is to forget setting the “resource”. By setting this value, you are defining the scope of your access token.

If you fail to set the resource, then Azure will indicate that the scope is not correct and that the access token isn’t relevant for its APIs. Thus… you won’t be able to access the services.

Closing Thoughts

  • A client_credentials flow should only be done if the secrets can be safeguarded. Do not use them in an SPA (Single Page Application) or in an app that is on an untrusted device.
  • Do not forget to set your resource, or you won’t be able to access the Azure REST APIs.
  • The examples above were done by using Postman. Your biggest friend when working with API Development! 😉
  • Oauth is THE standard in terms of cloud / identity. I concur that it’s rough to start with… Though do each flow via direct calls (without using an SDK) to get it “into your fingers”. Once you know what is going on, please only use an SDK, as with security… the slightest slip-up will haunt you!
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.