0

I have set up an APIM instance as a proxy for a webapi we expose, I want to access the APIM instance via Postman / .NET Client and enforce client_credentials (scope / secret / client_id) as set up by our own running seperately hosted instance of Identity Server 4.

Have read so many posts in Stack Overflow but nothing helping me to acheive this, not interested in the developer portal Oauth / OpenID, I think I need an inbound policy on one of the APIM Products but cant seem to set that up. Can anyone spell out the stages I have to go through?

https://myidentityserver.azurewebsites.net/connect/authorize (Auth endpoint) https://myidentityserver.azurewebsites.net/connect/token (Token endpoint)

WebInspired
  • 13
  • 5

1 Answers1

0

Your clients need to run OAuth flows to get access tokens from identity server.

Your API needs to validate JWT access tokens received from your .NET client or Postman. You could do this in APIM (the API gateway) but I would do it in the API itself. Whichever server side token validation option is used, the server needs to download token signing public keys from the Identity Server JWKS endpoint.

Looking at the APIM way of doing this, pointing to a JWKS endpoint may not be supported. You may therefore have to paste in the key value(s), which is a little awkward. If you are using this, make sure you also configure the expected issuer and audience values from Identity Server.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Gary - thanks for the reply - but meaningless to me! Im going to have this mark this down as just too diffficult to do as I would know where to start, strange though must be a fairly common requirement. Means Ill have timn implement all the APIM goodies eg throttling, IP limiting, etc in the real API – WebInspired Feb 28 '23 at 13:09