entra-id azure-ad how-to

Generate a token from Entra ID for development ΒΆ

This how-to guides you through the steps required to generate a token that you can use against an API secured with Entra ID in the development environments.

Prerequisites ΒΆ

  1. You will need a trygdeetaten.no user to access the service. Using the nav.no tenant is not supported.

Grant access ΒΆ

Grant access to the token generator service:

app.yaml

Ensure that the API application has configured the appropriate user access policies.

Generate token ΒΆ

The Entra ID token generator supports two use cases:

Generate token for employee user (on-behalf-of) ΒΆ

This generates a token by using the on-behalf-of flow.

  1. Visit https://azure-token-generator.intern.dev.nav.no/api/obo?aud=<audience> in your browser.
    • Replace <audience> with the intended audience of the token, in this case the API application.
    • The audience value must be on the form of <cluster>:<namespace>:<application>
    • For example: dev-gcp:my-team:my-app
  2. You will be redirected to log in at Entra ID (if not already logged in).
  3. After logging in, you should be redirected back to the token generator and presented with a JSON response containing an access_token.
  4. Use the access_token as a Bearer token to consume the API application.

Generate token for application user (client credentials) ΒΆ

This generates a token by using the client credentials flow.

Perform a POST request to https://azure-token-generator.intern.dev.nav.no/api/public/m2m:

http

where <audience> is the intended audience of the token, in this case the target API application.

For example, in curl:

bash

This returns an access token which can be used as a Bearer token to consume the target API application.