kalyankrishna1
commented
2 years ago The first one is a product, for API management, which is a sort of higher level abstraction for publishing APIs. Thus ,their instructions tend to be more around setting configuration in the API management portal. There is some overlap, like registering an app (API) in the Azure AD portal, but for the most part, the "protection" is done automatically by the API management service.
This sample is more "raw", where a developer develops and runs an API on their own and learns the ropes of how this API can then be protected by Azure AD. This API can be hosted in the API management, but you would remove the code that you wrote to protect it and use the instructions provided by the API management team. The client app's code will remain as is.
devamirsaleem
I am reading microsoft documentation and using their apps / api to secure api using Azure AD. But I got confused by two different approaches and as articles describe setting up the client app and Api.
This article describe " Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory" link: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
I am following another tutorial and using built application for web app and api, this describe "How to secure a Web API built with ASP.NET Core using the Microsoft identity platform. This sample demonstrates a ASP.NET Core Web App calling a ASP.NET Core Web API that is secured using Azure AD".
It further describe "1. The client ASP.NET Core Web App uses the Microsoft Authentication Library (MSAL) to sign-in and obtain a JWT [Access Tokens]. 2. The [Access Tokens] is used as a bearer token to authorize the user to call the ASP.NET Core Web API protected by Azure AD.
So I am confused are they two different things if so when to use 2nd option or first 1. Both deals with the Azure AD and claims to protect an api.