VimalTesting an Azure AD–protected API involves obtaining a valid access token from Azure AD and then including that token in your API requests. Here's a step-by-step guide:
1. Register an Application in Azure AD (if not already done)
For the API:
- Register your API in Azure AD.
- Expose an API by configuring scopes (permissions) in the Expose an API section.
- Authorize a client application that this API trusts in order to allow the client application and users to invoke this API. Add a trusted client using
Add a client applicationoption.
For the Client/Test App:
- Register a separate client application (or use an existing one).
- Under API permissions, add the API's scopes. Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process.
Step-by-step instructions on App registration
2. Obtain an Access Token
You have several options to obtain an access token:
A. Using Postman's OAuth 2.0 Flow
1.In Postman, open the Authorization tab for your request.
- Set Type to
OAuth 2.0. 2.Click Get New Access Token and fill in the following: - Token Name: (e.g., "AzureADToken")
-
Grant Type:
Authorization Code(for interactive login) orClient Credentials (for service-to-service scenarios) -
Callback URL:
https://oauth.pstmn.io/v1/callback -
Auth URL:
https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/authorize -
Access Token URL:
https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token - Client ID: Your client application's Application (client) ID
- Client Secret: (if using client credentials or authorization code flow, provide secret)
-
Scope: Use your API's scope (e.g.,
api://{API_Client_ID}/.defaultor a specific scope you defined) - State: (optional)
- Click Request Token and complete the login if prompted.
B. Using Command-Line Tools (cURL)
If you're using the client credentials flow, you can request a token via cURL:
curl -X POST https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id={`CLIENT_ID`}" \
-d "client_secret={`CLIENT_SECRET`}" \
-d "scope=api://{`API_Client_ID`}/.default" \
-d "grant_type=client_credentials"
Replace {TenantID}, {CLIENT_ID}, {CLIENT_SECRET}, and {API_Client_ID} with your values.
The response will include an "access_token" field.
3. Call the Protected API
Once you have the access token:
Using Postman
- In Postman, select your API request.
- In the Authorization tab, choose Bearer Token and paste the access token.
- Send the request.
- If the token is valid and the user has proper permissions, the API should return the expected response.
- Otherwise, you might see a 401 Unauthorized or 403 Forbidden error.
Using cURL
curl -X GET https://<your-api-url>/api/protected-endpoint \
-H "Authorization: Bearer <ACCESS_TOKEN>"
- Replace
<your-api-url>with your API's URL and<ACCESS_TOKEN>with the token you obtained.
4. Validate and Troubleshoot
Decode the Token:
Use jwt.ms to decode your JWT token and verify the claims (like issuer, audience, scopes, expiration).Check API Configuration:
Ensure that your API's token validation parameters (Authority, Audience, etc.) match the token’s values.Review Azure AD Permissions:
Confirm that the client app has been granted the required permissions for the API.
Following these steps will help you test your Azure AD–protected API effectively.
If you have any questions or run into issues, let me know!
