Generate a token from Entra ID for development¶
This how-to guides you through the steps required to generate a token that you can use against an API secured with Entra ID in the development environments.
Prerequisites¶
- You will need a trygdeetaten.no user to access the service. Using the
nav.notenant is not supported.
Grant access¶
Grant access to the token generator service:
app.yaml
spec:
azure:
application:
enabled: true
accessPolicy:
inbound:
rules:
- application: azure-token-generator
namespace: aura
cluster: dev-gcp
Ensure that the API application has configured the appropriate user access policies.
Generate token¶
The Entra ID token generator supports two use cases:
Generate token on behalf of employee user¶
- Visit https://azure-token-generator.intern.dev.nav.no/api/obo?aud=<audience> in your browser.
- Replace
<audience>with the intended audience of the token, in this case the API application. - The audience value must be on the form of
<cluster>:<namespace>:<application> - For example:
dev-gcp:my-team:my-app
- Replace
- You will be redirected to log in at Entra ID (if not already logged in).
- After logging in, you should be redirected back to the token generator and presented with a JSON response containing an
access_token. - Use the
access_tokenas a Bearer token to consume the API application.
Generate token for application user¶
- Visit https://azure-token-generator.intern.dev.nav.no/api/m2m?aud=<audience> in your browser.
- Replace
<audience>with the intended audience of the token, in this case the API application. - The audience value must be on the form of
<cluster>:<namespace>:<application> - For example:
dev-gcp:my-team:my-app
- Replace
- You will be redirected to log in at Entra ID (if not already logged in).
- After logging in, you should be redirected back to the token generator and presented with a JSON response containing an
access_token. - Use the
access_tokenas a Bearer token to consume the API application.