Share via

API Management (Managed Developer Portal) Cannot Log in with EntraID - /developer/identity endpoint called by JS says the Authorization header doesn't contain a valid token

Erik Jensen 15 Reputation points
2024-05-08T21:34:51.4633333+00:00

After following the detailed instructions in the documentation to enable Entra ID login for the developer portal on a "Developer" SKU api-management instance in a Virtual Network using Custom Domain and App Gateway for public -ingress I cannot get the EntraID login to work.

  • Network Troubleshooter in Api Management is all green.
  • User created in Entra ID
  • Group "API Developers" Created in EntraID
  • Entra Group Added to API Management
  • API-Group added to API Unlimited Product which only contains Echo API
  • Guest Group disassociated to Unlimited Product
  • Portal Access Verified via App Gateway over Custom DNS using hosts file on my pc
  • All NSGs for both AGW and APIM as per specifications and applied to their respective subnets
  • Login to Developer Portal via Username/Password Authorization Working
  • App-Registration Sign-In Logs show that the Entra ID account used during the SSO process is successfully signing in.
  • using Browser-Edge's Developer Console - the JWT when plugged into https://jwt.io shows my Entra ID user in the payload
  • The Request Flow in the developer portal in the popup window for the login seems to be
  • 1 - https://login.windows.net/common/.well-known/openid-configuration
  • 2 - https://login.windows.net/common/oauth2/token (response contains token_type Bearer, access token, refresh token, id_token etc...)
  • 3- https://portal.mycustomdomain-name.com/developer/identity/api-version=2022-04-01-preview (which returns 401 unauthorized {"code": "Unauthorized", "message":"Please ensure that Authorization header contains valid token."} ... and in the request headers for this xhr I can see that Authorization: header includes the content "Aad id_token="the_id_token_from_the_earlier_token_request")

So it seems like this is all OOTB but the /developer/identity endpoint doesn't seem to know how to extract the Aad token from the header which I didn't even set... it was done by the Javascript called "theme.js" on the developer portal's authentication pop-up.

any thoughts on what may be wrong here?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erik Jensen 15 Reputation points
    2024-05-09T15:09:59.98+00:00

    This was a case of my expectations being different than the product's UX. The first pass-through of the UX it goes to the "Complete Sign Up" page. Which I'd assumed was not the expected behaviour. During the SSO configuration I had also added the Token Configuration to the auto-configured app-registration.

    Namely, the claims added to the id_token are (as per step #17):

    • email
    • family_name
    • given_name

    in the App Registration so the claim should have that info to pre-populate and create the user on the api-management side. This does seem like a product bug that it requires completing the sign-up in light of fully-populated Entra ID users however, it's nice to see it works.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.