question

fyo-9047 avatar image
0 Votes"
fyo-9047 asked MayankBargali-MSFT commented

AAD as OpenIDConnect provider for APIM

I cannot find official doc on MFST on AAD as openIDConnect provider for apim. Is this implementation even possible?

We are unable to use Oauth2 since customer requires openidconnect due to security policies.

Found this resource online and followed the steps:
https://winterdom.com/2017/11/11/openid-connect-api-management

However faced with this problem when using APIM dev portal console:
Click on implicit field for Authorization in console, redirect to MFST identity platform pops up, authenticates to AAD and error shows.

AADSTS500013: Resource identifier is not provided.

Can you help me with this issue? Lodge a support request on azure portal but support engineer was not useful.

azure-api-managementazure-ad-app-registration
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@fyo-9047 I am verifying it at my end and will be updating the thread.

0 Votes 0 ·

@fyo-9047 Following up to see if my answer helps. Do let me know if you any queries.

0 Votes 0 ·

1 Answer

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered

Hi @fyo-9047

Apology for the delay in responding. I have tested the setup at my following this document. I was able to repro the same error:

AADSTS500013: Resource identifier is not provided.

Please verify if you are using the correct metadata endpoint URL. To resolve the error I have updated the MetaData endpoint URL in OpenID Connect for your API resource as below. You can get the metadata endpoint URL by navigating to endpoints for your AD application.
https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

Policy:

            <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
             <openid-config url="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration" />
             <required-claims>
                 <claim name="aud">
                     <value>cdd5fcc6-7961-436e-8aa7-c25af82aceee</value>
                 </claim>
             </required-claims>
         </validate-jwt>

Also, verify that you have added the redirect URL by navigating to AD application --> Authentication and verify that the Redirect URL is added:
https://{yourAPIMInstanceName}.developer.azure-api.net/signin-oauth/implicit/callback

Hope the above helps you to resolve the issue. Feel free to get back to me if you are facing any issue.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.