Generate a token from Entra ID for developmentΒΆ
This how-to guides you through the steps required to generate a token that you can use against an API secured with Entra ID in the development environments.
PrerequisitesΒΆ
- You will need a trygdeetaten.no user to access the service. Using the
nav.no
tenant is not supported.
Grant accessΒΆ
Grant access to the token generator service:
app.yaml
spec:
azure:
application:
enabled: true
accessPolicy:
inbound:
rules:
- application: azure-token-generator
namespace: aura
cluster: dev-gcp
Ensure that the API application has configured the appropriate user access policies.
Generate tokenΒΆ
The Entra ID token generator supports two use cases:
Generate token on behalf of employee userΒΆ
- Visit https://azure-token-generator.intern.dev.nav.no/api/obo?aud=<audience> in your browser.
- Replace
<audience>
with the intended audience of the token, in this case the API application. - The audience value must be on the form of
<cluster>:<namespace>:<application>
- For example:
dev-gcp:my-team:my-app
- Replace
- You will be redirected to log in at Entra ID (if not already logged in).
- After logging in, you should be redirected back to the token generator and presented with a JSON response containing an
access_token
. - Use the
access_token
as a Bearer token to consume the API application.
Generate token for application userΒΆ
- Visit https://azure-token-generator.intern.dev.nav.no/api/m2m?aud=<audience> in your browser.
- Replace
<audience>
with the intended audience of the token, in this case the API application. - The audience value must be on the form of
<cluster>:<namespace>:<application>
- For example:
dev-gcp:my-team:my-app
- Replace
- You will be redirected to log in at Entra ID (if not already logged in).
- After logging in, you should be redirected back to the token generator and presented with a JSON response containing an
access_token
. - Use the
access_token
as a Bearer token to consume the API application.