OAuth and Azure API Management
This series explores different scenarios for implementing OAuth with Azure API Management. We cover both protecting APIs with OAuth and calling OAuth-protected resources from various Azure services and CI/CD pipelines.
Each post includes practical examples that you can deploy and test yourself. All samples are available in a companion repository with complete Bicep templates and Azure Developer CLI (azd) configuration, making it easy to deploy the necessary Azure resources yourself.
Allthough all samples use APIs on Azure API Management, most of the concepts and configurations can also be applied to OAuth-protected APIs in general.
Protect APIs in Azure API Management with OAuth
Discover how to secure APIs in Azure API Management with OAuth 2.0 and Microsoft Entra ID using a fully automated, infrastructure-as-code approach. This post walks through deploying everything with Bicep, including app registrations via the Microsoft Graph Bicep extension, so you can avoid manual portal setup and ensure repeatable deployments.
Call OAuth-Protected APIs with Managed Identity from .NET
Learn how to call OAuth-protected APIs from .NET applications using Azure managed identity. This post shows how to implement secure API calls from Azure Functions without managing secrets, using the Azure Identity library and custom HTTP message handlers.
Call OAuth-Protected APIs with Managed Identity from Logic Apps
Azure Logic Apps Standard makes it easy to call OAuth-protected APIs using managed identity. This post demonstrates how to use the HTTP action’s built-in authentication and token caching for secure, reliable calls.
Call OAuth-Protected APIs with Managed Identity from API Management
Learn how to use API Management to call OAuth-protected APIs with managed identity. This enables secure API-to-API communication and privilege delegation patterns without managing secrets.
Call OAuth-Protected Backends from API Management using Credential Manager
Azure API Management’s credential manager provides a simple, managed way to handle OAuth flows with automatic token acquisition and caching. In this post, I show how to configure it using Bicep and integrate it into your APIs. I also highlight key considerations to help you decide when credential manager is the right choice versus custom token handling.
Call OAuth-Protected Backends from API Management using Send-Request Policy with Client Secret
When API Management’s credential manager isn’t suitable for your OAuth scenarios, you can implement token handling directly using policies. In this post, I show how to call OAuth-protected backends using the send-request policy with Client Credentials Flow and a client secret stored in Key Vault.
Call OAuth-Protected Backends from API Management using Send-Request Policy with Client Certificate
Learn how to implement certificate-based OAuth authentication in API Management using JWT assertions and the send-request policy. This approach provides stronger security than client secrets by proving possession of a private key without transmitting it.
Call OAuth-Protected APIs from GitHub Actions Using Federated Credentials
Learn how to execute automated integration tests against OAuth-protected APIs from GitHub Actions workflows using federated credentials. This enables secure API testing without managing secrets in your CI/CD pipeline.
