Readme does not describe or missing documenation that describe the difference between authorization with Azure AD or OAuth

[devamirsaleem]

I am reading microsoft documentation and using their apps / api to secure api using Azure AD. But I got confused by two different approaches and as articles describe setting up the client app and Api.

This article describe " Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory"
link: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

I am following another tutorial and using built application for web app and api, this describe "How to secure a Web API built with ASP.NET Core using the Microsoft identity platform. This sample demonstrates a ASP.NET Core Web App calling a ASP.NET Core Web API that is secured using Azure AD".

It further describe "1. The client ASP.NET Core Web App uses the Microsoft Authentication Library (MSAL) to sign-in and obtain a JWT [Access Tokens]. 2. The [Access Tokens] is used as a bearer token to authorize the user to call the ASP.NET Core Web API protected by Azure AD.

So I am confused are they two different things if so when to use 2nd option or first 1. Both deals with the Azure AD and claims to protect an api.

[kalyankrishna1]

The first one is a product, for API management, which is a sort of higher level abstraction for publishing APIs. Thus ,their instructions tend to be more around setting configuration in the API management portal. There is some overlap, like registering an app (API) in the Azure AD portal, but for the most part, the "protection" is done automatically by the API management service.

This sample is more "raw", where a developer develops and runs an API on their own and learns the ropes of how this API can then be protected by Azure AD. This API can be hosted in the API management, but you would remove the code that you wrote to protect it and use the instructions provided by the API management team. The client app's code will remain as is.

[devamirsaleem]

Thanks for your reply. Last time when I deployed the Api on the Azure I had to use Api Management tool regardless of not using OAuth. So lets say if I use the sample and deploy on the Azure and do not use the OAuth the api would still be protected and code would remain intact. however, if I go to implement OAuth in Azure then the code would be mean less but I won't have to remove them or do new coding?

[kalyankrishna1]

The API mgmt is capable of working with OAuth providers like Azure AD , or you can use this sample to get more raw and handle the OAuth token validation bits yourself. Let us know if we can close this issue