Lab 1 - READ ONLY - Create Azure Entra ID with PKCE

Warning

In this lab, you don’t have to do anything. Everything is already created for you in Azure.

This lab is similar to the previous lab, except we will use PKCE grant flow. In the previous lab, we had to define the Client Secret in the Edge Client configuration (connectivity profile). It means, the Oauth client (Edge Client) knows and saves this Secret in its system. This client must be trusted. If it is not the case (for instance a mobile app available in an app store), you must use another mecanism called PKCE. With PKCE, the Oauth Client does not need to know the client secret.

More details : https://my.f5.com/manage/s/article/K14432144

Create a new Azure Entra ID Application

  • In Azure Entra ID, go to App Registrations
  • Click on New Registration
../../_images/new-registration1.png
  • Give a name
  • For the redirect option
    • Select Single-page application (SPA) -> this is the way to enable PKCE instead of Client Secret.
    • Enter the Edge Client OIDC redirect URI http://localhost:8000

Example : https://federate.itc.demo/oauth/client/redirect

  • Click Register
../../_images/spa-app.png

Configure your Entra ID app

  • Find your Entra ID Application and Edit it

  • Copy and Save those ID - we will use them into APM

    • Application ID (this is the OIDC client ID) : e6f40de5-d0a4-4cc5-b680-48528fbd84e4
    • Tenant ID or Tenant name : f5access.onmicrosoft.com
    ../../_images/ids1.png

  • In Authentication menu, check the Web Redirect URIs. Must be the one defined previously. Don’t change any other settings.

    ../../_images/redirect1.png

  • In API persmissions, only keep openid

    • Microsoft Graph - openid
    ../../_images/api-permissions1.png

  • In Expose an API, check the Application ID URI exists, else click Add and save.

  • Click Add a scope, and create a scope with a name such as vpn

    • This scope will used by APM

      ../../_images/scope1.png

  • Add your account into Owners in order to find this app easily

  • In Manifest, modify the accessTokenAcceptedVersion to the value 2

    {
     "id": "30fc8872-f6de-4c3d-897b-fdb608bd1c5a",
     "acceptMappedClaims": null,
     "accessTokenAcceptedVersion": 2,
     "addIns": [],
     "allowPublicClient": null,
     "appId": "e6f40de5-d0a4-4cc5-b680-48528fbd84e4",
     "appRoles": [],
     "oauth2AllowUrlPathMatching": false,
     "createdDateTime": "2024-06-12T14:32:27Z",
     "description": null,
     "certification": null,
...
}

  • Save

Note

Your Azure Entra ID is ready to be used by APM to authenticate users with PKCE grant flow.