Google OAuth 2.0 Authorization In Azure API

Here I am going to demonstrate how we can use Google OAuth 2.0 in Azure API. App Service Authentication/Authorization is exposed in the Azure Preview Management Portal.

For connecting the API to Azure API Managment, we need to enable Google's OAuth 2.0 Authorization but didn't find the intersect of someone putting together the two. So, this article explains how to use Google OAuth 2.0 as Authorization Server in Azure API Management.

Before we started, you will need two things to configure.

  • An API Management instance in Azure
  • An account in Google's Services

After configuration of these two things, we start Google OAth 2.0 Authorization

Start OAuth Server addition

Create an Authorization Server in Azure API Management either in the OAuth Preview blade or in the API Management Publisher Portal.

The settings you need to use will look like this.

Azure

For changing the settings in OAuth Server, you will need to go to the "security section", then go to the OAuth 2.0 tab on the horizontal menu in left-hand side menu on the screen.

For your convenience, here are the field values as text so you may copy-paste them:

  • Google AdWords (replace AdWords with the Google service scope of your choice)
  • Google OAuth scoped to AdWords
  • https://console.developers.google.com/apis/credentials
  • https://accounts.google.com/o/oauth2/v2/auth
  • https://www.googleapis.com/oauth2/v4/token
  • https://www.googleapis.com/auth/adwords (replace the suffix of this URL with the specific Google service you seek to enable; here is the AdWords suffix. Google Drive and Google Mail, for instance, will have a different suffix. It should be possible to specify multiple scopes but I am not aware of the syntax for that.) 
Get client credentials from Google

However, to get the client credentials value, you need to create them on the Google account which in turn will need the redirect URI to restrict the allowed callers. The APIM page will give you this under "This is what the redirect URI for authorization code grant type looks like:"

i.e. https://<yourAPIMinstancename>.portal.azureapi.net/docs/services/<GUID>/console/oauth2/authorizationcode/callback  in this placeholder<> you will need to copy the actual value from your instance of APIM.

The client credentials can be created in Google's Developers console under the Credentials tab. Under Credentials, choose Create Credentials >> OAuth client ID

Azure

Select Web application as type. I use "API Management" as name, then copy the redirect URI from APIM.

Finally, hit "Create". A prompt will give you the client ID and client secret. If you discard the prompt by accident you can see these values again by opening the client entry again in the list of credentials. You can also correct the redirect URI or add more URIs if needed.

Azure

Back to APIM to complete the authorization server addition

You can now fill the Client ID and Client secret fields of the API authorization server addition. Hit Save at the bottom of the page to complete the addition. You should now see the new entry in the list of authorization servers:

Azure

Start using the authorization server for the Google APIs

Under the APIs section of API Management, after selecting a specific API such as the AdWords Campaign Service (you can import this in APIM for SOAP with the WSDL at https://adwords.google.com/api/adwords/cm/v201705/CampaignService?wsdl ), change the User authorization from None to OAuth 2.0 and select the Authorization server you just added such as here "Google AdWords":

Azure

Send a test request

Switch to the API Developer Portal. Navigate to APIs, pick the Google API you would have associated with OAuth, select a specific operation, and click "Try it". Under Authorization, change from No auth to Authorization code. You will be redirected to Google's Consent Server.

Azure

Assuming you have good values in the body for this request, you should be able to hit "Send" to make an actual call with OAuth tokens to the Google API.

Next Recommended Readings