I have set up a django project using the django_auth_adfs library to use the Azure Active Directory for the authentication phase. I have set up its API using rest_framework and now, I am trying to send requests to it using Postman. My problem is that if I send a request with or without an access token, my result is nothing but the raw html code of the Microsoft login page. I used this link for generating my access token:
https://dev.to/425show/calling-an-azure-ad-secured-api-with-postman-22co
I tried different API Permissions for my Azure App such as Azure Active Directory Graph, Microsoft Graph, and one under my own project name which comes from the one I configured as a scope in the Expose an API. Also I wonder if the company should grant access to the api I configured in the Expose an API?
This is the Result I get and this is my postman environment. During the token registration, I am prompt to login using my username, password, and the authentication code sent to my phone, and then, the token is generated successfully. However, I am still getting the login page, although I am using the token in my headers. Also about the django ad configuration, it works fine. People can login and logout using their Microsoft accounts, so the problem should not be there.
Steps to authenticating Django API using Azure Active Directory (AD) and accessing it via Postman.
Create an application in App registrations of Microsoft Entra ID.Choose Supported account types as Microsoft Entra ID tenant - Multitenant and personal Microsoft accounts for api.
Add a scope in Expose an API
by selecting consent as Admins and users as shown in the below image.
Use Instance ,ClientId and TenantId in Django API .
"Instance": "https://login.microsoftonline.com/",
"ClientId": "18", //Application (Client) ID from 'Catalogue.Api' app registration overview blade
"TenantId": "932" // Tenant ID from '.Catalogue.Api' app registration overview blade
https://www.postman.com/oauth2/callback
Select Access tokens ,ID tokens in Authentication and save it.
In postman application add API permissions for Api app which you have created.
Select Delegated permissions and Permissions of api and add permission.
Create a new request and select the Auth Type as OAuth 2.0 .
Change Callback URL ,Auth URL ,Access Token URL ,Client ID ,Client Secret ,Scope and State with Postman app details
Callback URL: {{callbackUrl}}
Auth URL: https://login.microsoftonline.com/{{tenantid}}/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/{{tenantid}}/oauth2/v2.0/token
Client ID : {{clientId}}
Client Secret : {{clientSecret}}
Scope: {{scope}}
Replace the Django API Url and send the request.