I have an API hosted in Azure APIM with a jwt-policy that validates against Azure AD, boy, that was a mouthful!
My jwt-policy is located in the All Operations for my API.
I created an app registration for my API. I gave it a more “friendly” Application ID URL and exposed an API in the Scopes, called API.Access.
I took all the required parameters, ClientId, ClientSecret and the endpoints for Authorization and Token, and created an Environment in Postman.
I configured the Authorization at the folder level of the Postman collection. To get a new access token I clicked Get New Access Token – super intuitive! 😆
The generated Access Token is automatically used by my People List, because it inherits the folder Authentication.
My call to v2/people works perfectly, and I get back a list of Star Wars characters.
I apologize in advance for not going to deep into the above, if you have any questions, please leave a comment and I’ll do my best to answer promptly.
Now comes the fun part! In order to make a Canvas App in the Power Platform, we will need to create a Custom Connector to access the API.
Open up the Power Apps portal.
Navigate to Dataverse and Custom Connectors, then click New custom connector and Create from Azure Service (Preview).
Configure the Custom Connector to point to the API in Azure APIM and click Continue.
Navigate to the Security tab and click Edit for Authentication type.
Set Choose what authentication is implemented by your API to OAuth 2.0.
Update the OAuth properties based on the app registration created earlier.
Wasn’t sure what to set Refresh URL so I set it to the Authorization URL.
Click Create Connector.
Note, I disabled the need for a Subscription Key to be required on my API, if you need this, then you will want to add a policy to add the Ocp-Apim-Subscription-Key header with the Subscription Key.
Navigate to the Test tab and click New connection.
Click Create.
You should now be prompted to login. The Custom Connector will use your credentials for testing.
The Customer Connector can now be tested!
Navigate to the Test tab and click Test operation.
What now?
I created a Canvas App that uses my Custom Connector.
The first time I open the Custom Connector I am prompted to Allow the Custom Connections, one of which, requires me to Authenticate with Azure AD.
When a user open, that makes use of this Custom Connector, tries to access it, they will be prompted to Allow or Fix Connection, which will prompt them to authenticate.
Once authenticated, they can now start using the Canvas App and any calls made to the Custom Connector will be on the behalf of the currently logged in user.
One concern I have, is how long that token is good for? Will I be prompted to Fix connection or something else? Will wait and see and update accordingly.
Thanks!
Discover more from Matt Ruma
Subscribe to get the latest posts sent to your email.
Hi Matt,
It would be nice to see your input into the Postman (variables) to get a JWT-token.
I’m doing a similar setup so that would make it easier.
Hi Matt, I have a somewhat different scenario that I’m struggling with. My API is also hosted in APIM, and the validate jwt policy checks for a token with a role claim (IBOTP.Administrator in my case). When in postman I request a token and test an api operation with the returned token as the authorization bearer token, everything works. My policy looks like this:
api://18bc24b3-5593-475e-bcd9-5699cd9352d9/.default
api://18bc24b3-5593-475e-bcd9-5699cd9352d9
https://sts.windows.net/72514d97-3828-4011-ac8b-7c125a8d33fa/
IBOTP-Administrator
I haven’t been able to get a custom connector working. Do you know what the security configuration should be for this to work ?