Third-party Key Manager implementation which allows to integrate Azure AD with WSO2 API Manager. This repo contains a sample implementation that consumes the Microsoft's Graph API to create and manage Azure AD Applications.
Kindly note that this implementation & feature is supported from WSO2 API Manager v3.2.0 onwards
[:construction:] Development in progress
Execute the following command from the project's root directory to build
Linux/ MACOS
mvn clean install
Windows
mvn clean install
Prerequisites
An Azure account that has an active subscription. Create an account for free.
The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:
Completion of the Set up a tenant quickstart.
Create Application
Visit Azure home
Navigate to Manage Azure Active Directory
Navigate to App registration
Navigate to New registration, Give a name (Ex : KeyManger Client) and Click Register
Create secrets
Navigate to Certificates & secrets
> Client secrets
>New client secret
Fill the form with relevant information and give custom as the value for Expire.
Make sure to copy the secret,it only shows once.
Configured permissions
API permissions
Add a permissions
APIs my organization uses
Microsoft Graph
from the listApplication permissions
Application
and check
Add permissions
Copy application details
Start the API Manager server and log-in to the Admin portal to configure Azure AD as a Key Manager.
Key Managers
from the side panel and then click Add Key Manager
AzureAD
Azure AD Key Manager
Azure AD
client_credentials
(Only Use this grant type)Microsoft Graph API endpoint
Application (client) ID
OpenID Connect metadata document
URL collected from the endpoints and click on Import
Microsoft Graph API endpoint
OAuth 2.0 token endpoint (v2)
URL (token introspection is not supported in Azure AD)OAuth 2.0 token endpoint (v2)
URL (token revocation is not supported in Azure AD)Microsoft Graph API endpoint
Application (client) ID
Add
Next, log-in to the Devportal and navigate to Applications
section
Add New Application
Add
Production Keys
section of that ApplicationAzure AD Key Manager
and click on Generate Keys
Under App registration there should be newly created application.
If we are using existing app registered. Make sure to check the Expose an API
section and we have setup Application ID URI
. The value should be
api://<Application (client) ID>
We can also get this value by clicking the set
link right next to the label. Default value is what we will see above.
Without this in the app,the token will be generate in a version 1 format and will not work with APIM KM due to failed signature.
Update password is not supported by providing new one from the APIM. When ever the application is updated via APIM a new client_secret is set.
Failed to add password. Error detail: Unable to save changes because the credential limit has been reached. Please delete a credential and try again.
If you see this message in logs or while updating the application several times, The issue is with limitation with Azure AD client_secret. At a given application max number of client_secrets can have is 2. Delete old one from AzureAD console web client.
With the limitation on getting generated client_secrets after its generated, it not support to add existing keys from APIM.
Big thanks for https://github.com/athiththan11/apim-km-azure for initial base project.