> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Using Auth0 as an OAuth 2.0 server to authenticate users wanting access to an API managed by the Azure API Management service
# Integrate with Azure API Management
You'll need a Microsoft account with access to the [Azure Portal](https://azure.microsoft.com/en-us).
The [Azure API Management](https://azure.microsoft.com/en-us/products/api-management/) service allows you to create new APIs or import existing API definitions and publish them for use by the approved audiences. Auth0 makes authorizing users of your API (using OAuth 2.0 standards) easy.
In this tutorial, you'll learn how to use Auth0 to authenticate and authorize users when they access a Basic Calculator API managed by Azure API Management.
## Configure Auth0
### Create an API
You'll need to create an API in Auth0 to represent the API managed by the Azure API Management Service. To learn more, read [Register APIs](/docs/get-started/auth0-overview/set-up-apis).
1. Navigate to [Auth0 Dashboard > Applications > APIs](https://manage.auth0.com/#/apis), and select **Create API**.
2. Set the following parameters:
| Field | Value |
| --------------------- | ------------------ |
| **Name** | `Basic Calculator` |
| **Identifier** | `basic-calculator` |
| **Signing Algorithm** | `RS256` |
3. Select **Create**.
### Create a Regular Web Application
You'll need to create a Regular Web Application (RWA) in Auth0 to communicate with the OAuth 2.0 authorization server in Azure:
1. Navigate to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the **Create Application** button.
2. Enter a **Name** for your application, and select **Regular Web Applications** for the application type.
### Create and enable a connection
You'll need to create a connection in Auth0 and enable it for your application:
1. Navigate to [Auth0 Dashboard > Authentication > Database](https://manage.auth0.com/#/connections/database), and select **Create DB Connection**.
2. Enter a **Name** for your connection. We suggest choosing a name that reflects the source of users (such as `Facebook` for a Connection that contains users using their Facebook credentials or `site-sign-ups` for a database connection where users sign up on your site).
3. Select **Create**.
4. Navigate to your connection's **Settings** page.
5. Switch to the **Applications** view, where you'll see a list of all the applications on your tenant.
6. Toggle the application you created previously to enable it for the connection.
### Create a user
If you already have a set of users, you can import them or create a [custom database connection](/docs/authenticate/database-connections/custom-db).
You'll need to have at least one user on your connection to test authentication and authorization. If you do not have an existing set of users for the connection, you can create one manually:
1. Navigate to [Auth0 Dashboard > User Management > Users](https://manage.auth0.com/#/users), and select **Create User**.
2. Enter an **Email** and **Password**, and select the connection you created in Step 3 for the **Connection** field.
3. Select **Create**.
## Configure Azure
### Create Azure API Management Service
You'll need to create an API Management Service instance in Azure to manage your API:
1. In the navigation bar, select **Create a resource**.
2. Once redirected, select **Web** > **API Management**.
3. Provide the following configuration variables:
| Parameter | Description |
| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Name** | The name for your service (which will also be used to create the URL you need to access the service) |
| **Subscription** | The Azure subscription plan with which you'll use with the service |
| **Resource group** | The collection of [resources](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resources-portal) sharing a lifecycle, permissions, and policies. You can use an existing resource group or you can create a new one (you'll need to provide a name for the group if you create a new one) |
| **Location** | Choose the location that services your API instance |
| **Organization name** | The name of your organization |
| **Administrator email** | The email address of the person who will be administering this instance |
| **Pricing tier** | The pricing tier you want, which determines the number of calls you can make to your API, as well as the maximum amount of data transfer allowed. You must opt for the [Developer plan](https://azure.microsoft.com/en-us/pricing/details/api-management/) or higher; the Consumption plan does not offer sufficient functionality for this integration to work. |
4. Select **Create** to begin provisioning your service (this may take up to 15 minutes to complete).
### Import the sample API
For this tutorial, we will be importing and using the Basic Calculator API provided by Microsoft. For detailed instructions, see [Import and Publish Your First API](https://docs.microsoft.com/en-us/azure/api-management/import-and-publish#go-to-your-api-management-instance) from Microsoft.
When done, select **Create** to import your API. You'll be redirected to the summary page for your API when it's fully imported.
### Configure an OAuth 2.0 authorization server
To use Auth0 to secure your Azure API, you'll need to register Auth0 as an OAuth 2.0 authorization server:
1. Find the **OAuth 2.0 + OpenID Connect** area of your API Management service instance near the navigation bar. Select **OAuth 2.0**,and then select **Add**.
2. Go to the **Add OAuth2 service** configuration screen, and select the Authorization Code grant type.
3. Set the following parameters:
| Parameter | Description |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Display name** | Enter a descriptive name for your authorization server, such as `Auth0`. |
| **Id** | This field should auto-populate based on the display name you provide. |
| **Description** | Enter a description for your authorization server, such as `Auth0 API Authentication`. |
| **Client registration page URL** | Enter `https://placeholder.contoso.com` as a placeholder. |
| **Authorization code grant types** | Select `Authorization code`. |
| **Authorization endpoint URL** | Refer to your tenant's [OIDC Discovery endpoint](https://\{yourDomain}/.well-known/openid-configuration) and append the `audience` parameter. For example: `https://{yourDomain}/authorize?audience={API_AUDIENCE}`. |
| **Authorization request method** | Default is `GET`. |
| **Token endpoint URL** | Refer to your tenant's [OIDC Discovery endpoint](https://\{yourDomain}/.well-known/openid-configuration) . |
| **Client authentication methods** | Select `Basic`. |
| **Access Token sending method** | Select `Authorization header`. |
| **Default scope** | Specify a default [scope](/docs/glossary?term=scope), if required. |
4. Under the **Client Credentials** section, enter your Auth0 applications client ID in the **Client ID** field and client secret in the **Client secret** field.
5. Switch to the **Redirect URI** view, and copy the URI value in the **Authorization code flow grant** field.
6. Select **Create**.
### Configure Azure API to use Auth0
After you've created your OAuth 2.0 authorization server in Azure, you'll need to update your Azure API to use Auth0 for user authorization:
1. Under the **APIs** section in the navigation, select **APIs**.
2. Select the Basic Calculator API, and go to the **Design** view.
3. Switch to the **Settings** view.
4. Navigate to the **Security** section, and select **OAuth 2.0** under **User Authorization**.
5. Select the server you configured in the previous step for the **Authorization Server** field.
6. Click **Save**.
## Set the Allowed Callback URL in Auth0
After your Azure API is provisioned and configured to use Auth0 for user authorization, you'll need to update your Auth0 application:
1. Navigate to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications).
2. Select your application, and switch to the **Settings** view.
3. Enter the Redirect URIyou copied previously into the **Allowed Callback URLs** field.
4. Click **Save**.
## Test the integration
In to the Azure Portal, open up your instance of the API Management Service.
1. Select **Developer Console** to launch the developer-facing side of your APIs.
2. Go to **APIs** > **Basic Calculator**. This opens up to the page where you can make a `GET` call that allows you to add two integers.
3. Select **Try It**. This will bring up the page where you can provide the parameters for your call.
4. Navigate to the **Authorization** section, and select **Authorization Code** (next to the **Auth0** field).
5. A popup window will appear with the Auth0 login widget (if it doesn't, ensure that any pop-up blockers are disabled for your browser). Enter the credentials for the Auth0 user you created in Step 4, and log in.
6. If you were able to successfully log in, a message will appear with the expiration date of the access token you can use to call your API.
7. Navigate to the bottom, and select **Send**. If the request is successful, you'll see a message containing the `HTTP 200` response at the bottom of the page.
### Configure a JWT validation policy for Access Tokens
In the previous step, the user is prompted to sign in when they try to make a call from the Developer Console. The Developer Console attempts to obtain an Access Token on behalf of the user to be included in the API request. All Access Tokens will be passed to the API via the `Authorization` header.
If you want to validate the Access Token included with each request, you can do so by using the [Validate JWT policy](https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy). Refer to Microsoft's documentation on [setting an API Management policy](https://learn.microsoft.com/en-us/azure/api-management/set-edit-policies?tabs=form).