Category: API Management

Azure Security articles in September

I decided to make September a month of Azure Security learning for myself, the following is a list of existing articles and also new security articles which I have written: –

  • Azure Policies – Learn what they are and why they are super useful and super easy to setup.
  • Azure Managed Service Identity – Managed Service Identity allows you to securely access your Azure resources and avoid storing credentials in your code.
  • Azure Role-Based Access Control – Role-based access control (RBAC) is a system that provides fine-grained access management of Azure resources.
  • Azure KeyVault – The Azure KeyVault Service is where you store certificate keys, passwords and more instead of having them stored within your application.
  • Azure Devops Open Source Scan your code – Scan your code for open source vulnerabilities and learn whats out of date within your project and also what vulnerabilities those versions may contain.
  • Azure Devops – Secure DevOps Kit for Azure (AzSK) – The “Secure DevOps Kit for Azure” is a collection of scripts, tools, extensions, automation’s, etc. that caters to the end to end Azure subscription and resource security needs for dev ops teams using extensive automation and smoothly integrating security into native dev ops workflows helping accomplish secure dev ops.
  • Intro to Azure Security –  “Introduction to Azure Security”, is written to provide a comprehensive look at the security available with Microsoft Azure.
  • Azure security documentation – everything you wanted to know about security within Azure.
  • Azure Api Management using Okta to secure using OAuth 2.0 – use Okta to secure your Api’s within Azure API Management

Enjoy!



Azure Api Management using Okta to secure using OAuth 2.0

This blog post will cover how to move an existing or new api into Azure API Management and then secure it using Okta.

 

Okta – “The Okta Identity Cloud provides secure identity management with Single Sign-On, Multi-factor Authentication, Lifecycle Management (Provisioning), and more”.

I had access to a development tenant within Okta which looks something like this:-

 

 

 

 

 

 


I created a new application and called it ‘Azure API Management’ and chose Web as the platform and OpenID Connect as the sign on Method like so: –

So now we have filled this out we can go back and edit it and see the screen which shows us important details including Client ID, Secret and Login redirect URI’s, all of which are important details in order to get this working.


Azure API Management

Within Azure, create a new instance of Azure API Management and once this has been created go down on the left hand menu and under Security select OAuth 2.0 and then select Add, I gave it the name Okta.

The client registration url is important here, you can find yours within your new Application within Okta, under the SignOn tab, look for the section that says OpenID Connect ID Token.

The other details which are very important are as follows (in red)

and further down that screen where you see the ClientID and Client Secret: –


That’s it for Azure, so let’s switch back to Okta.

Now we need to check the Sign On tab and take a note of some important settings

 

 

 



 

At this stage we haven’t added any API’s to Azure API management, so let’s do that by following this excellent example: – https://docs.microsoft.com/en-us/azure/api-management/import-and-publish

Once you have imported an api you can test it a number of ways including using tools like postman, but you can also use the API Management developer portal which you can launch from your Azure API Management Instance back in Azure seen in the link below: –


Now that we have the Developer Portal open, select API’s from the header and then click on the API you imported in a previous step.


Click the Try it Button

So to check things are talking to Okta to try to get a token, we need to change the drop down under the Authorization section and change it from No auth to Authorization code. This will attempt to go off to Okta and you should see a Login prompt to Okta.

 

 

Once you enter details and click Sign in if all is setup correctly you’ll know see something like this:-

Now we have a bit saying when the access token will expire and also at the bottom it shows lots of **** for where the access token is added but hidden.

Other things of note

I had to create/edit an assigment (user) within Okta because I was setup with a username – so under assignments within your Application make sure users have a username setup.

Note
The important part here is that you can access api’s in API management and by default they’ll always just work, the trick is to make them request an Okta token. In bound policies are the magic th

Lastly we need to add whats called an in-bound policy to check the token is valid – otherwise the calls will always succeed with or without using Okta.

To add an in-bound policy go to your Azure API instance within Azure, then the developer portal and select your api and then select All operations (or the api call you wish to secure) and then select Inbound processing like so:-

Here we have several options for the inbound policy and in this example I chose validate JWT and filled it out as below: –

You can read more here on API management policies.

And that is how you go about integrating Okta with Azure API Management.

Feel free to get in touch if you have any questions.