AAD as OpenIDConnect provider for APIM

fyo 1 Reputation point
2020-09-26T19:42:59.917+00:00

I cannot find official doc on MFST on AAD as openIDConnect provider for apim. Is this implementation even possible?

We are unable to use Oauth2 since customer requires openidconnect due to security policies.

Found this resource online and followed the steps:
https://winterdom.com/2017/11/11/openid-connect-api-management

However faced with this problem when using APIM dev portal console:
Click on implicit field for Authorization in console, redirect to MFST identity platform pops up, authenticates to AAD and error shows.

AADSTS500013: Resource identifier is not provided.

Can you help me with this issue? Lodge a support request on azure portal but support engineer was not useful.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,751 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MayankBargali-MSFT 68,471 Reputation points
    2020-10-06T07:26:59.597+00:00

    Hi @fyo

    Apology for the delay in responding. I have tested the setup at my following this document. I was able to repro the same error:

    AADSTS500013: Resource identifier is not provided.

    Please verify if you are using the correct metadata endpoint URL. To resolve the error I have updated the MetaData endpoint URL in OpenID Connect for your API resource as below. You can get the metadata endpoint URL by navigating to endpoints for your AD application.
    https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

    Policy: 

    		   <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">  
            <openid-config url="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration" />  
            <required-claims>  
                <claim name="aud">  
                    <value>cdd5fcc6-7961-436e-8aa7-c25af82aceee</value>  
                </claim>  
            </required-claims>  
        </validate-jwt>

    Also, verify that you have added the redirect URL by navigating to AD application --> Authentication and verify that the Redirect URL is added:
    https://{yourAPIMInstanceName}.developer.azure-api.net/signin-oauth/implicit/callback

    Hope the above helps you to resolve the issue. Feel free to get back to me if you are facing any issue.

    0 comments