The azure-native:apimanagement:AuthorizationProvider resource, part of the Pulumi Azure Native provider, defines OAuth2 authorization providers that store identity provider configuration and credentials for API Management policies. This guide focuses on two capabilities: Azure AD authorization code flow and Google OAuth integration.
Authorization providers belong to API Management service instances and reference OAuth applications registered with identity providers (Azure AD, Google). The examples are intentionally small. Combine them with your own API Management policies and authorization resources.
Configure Azure AD with authorization code flow
API Management often calls Microsoft Graph or other Azure AD-protected APIs on behalf of users, requiring user consent flows where end users authenticate and grant permissions.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const authorizationProvider = new azure_native.apimanagement.AuthorizationProvider("authorizationProvider", {
authorizationProviderId: "aadwithauthcode",
displayName: "aadwithauthcode",
identityProvider: "aad",
oauth2: {
grantTypes: {
authorizationCode: {
clientId: "59790825-fdd3-4b10-bc7a-4c3aaf25801d",
clientSecret: "xxxxxxxxxxxxxxxxxxxxxxxx",
resourceUri: "https://graph.microsoft.com",
scopes: "User.Read.All Group.Read.All",
},
},
redirectUrl: "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resourceGroupName: "rg1",
serviceName: "apimService1",
});
import pulumi
import pulumi_azure_native as azure_native
authorization_provider = azure_native.apimanagement.AuthorizationProvider("authorizationProvider",
authorization_provider_id="aadwithauthcode",
display_name="aadwithauthcode",
identity_provider="aad",
oauth2={
"grant_types": {
"authorization_code": {
"clientId": "59790825-fdd3-4b10-bc7a-4c3aaf25801d",
"clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxx",
"resourceUri": "https://graph.microsoft.com",
"scopes": "User.Read.All Group.Read.All",
},
},
"redirect_url": "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resource_group_name="rg1",
service_name="apimService1")
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewAuthorizationProvider(ctx, "authorizationProvider", &apimanagement.AuthorizationProviderArgs{
AuthorizationProviderId: pulumi.String("aadwithauthcode"),
DisplayName: pulumi.String("aadwithauthcode"),
IdentityProvider: pulumi.String("aad"),
Oauth2: &apimanagement.AuthorizationProviderOAuth2SettingsArgs{
GrantTypes: &apimanagement.AuthorizationProviderOAuth2GrantTypesArgs{
AuthorizationCode: pulumi.StringMap{
"clientId": pulumi.String("59790825-fdd3-4b10-bc7a-4c3aaf25801d"),
"clientSecret": pulumi.String("xxxxxxxxxxxxxxxxxxxxxxxx"),
"resourceUri": pulumi.String("https://graph.microsoft.com"),
"scopes": pulumi.String("User.Read.All Group.Read.All"),
},
},
RedirectUrl: pulumi.String("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1"),
},
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var authorizationProvider = new AzureNative.ApiManagement.AuthorizationProvider("authorizationProvider", new()
{
AuthorizationProviderId = "aadwithauthcode",
DisplayName = "aadwithauthcode",
IdentityProvider = "aad",
Oauth2 = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2SettingsArgs
{
GrantTypes = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2GrantTypesArgs
{
AuthorizationCode =
{
{ "clientId", "59790825-fdd3-4b10-bc7a-4c3aaf25801d" },
{ "clientSecret", "xxxxxxxxxxxxxxxxxxxxxxxx" },
{ "resourceUri", "https://graph.microsoft.com" },
{ "scopes", "User.Read.All Group.Read.All" },
},
},
RedirectUrl = "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
ResourceGroupName = "rg1",
ServiceName = "apimService1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.AuthorizationProvider;
import com.pulumi.azurenative.apimanagement.AuthorizationProviderArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2SettingsArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2GrantTypesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var authorizationProvider = new AuthorizationProvider("authorizationProvider", AuthorizationProviderArgs.builder()
.authorizationProviderId("aadwithauthcode")
.displayName("aadwithauthcode")
.identityProvider("aad")
.oauth2(AuthorizationProviderOAuth2SettingsArgs.builder()
.grantTypes(AuthorizationProviderOAuth2GrantTypesArgs.builder()
.authorizationCode(Map.ofEntries(
Map.entry("clientId", "59790825-fdd3-4b10-bc7a-4c3aaf25801d"),
Map.entry("clientSecret", "xxxxxxxxxxxxxxxxxxxxxxxx"),
Map.entry("resourceUri", "https://graph.microsoft.com"),
Map.entry("scopes", "User.Read.All Group.Read.All")
))
.build())
.redirectUrl("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1")
.build())
.resourceGroupName("rg1")
.serviceName("apimService1")
.build());
}
}
resources:
authorizationProvider:
type: azure-native:apimanagement:AuthorizationProvider
properties:
authorizationProviderId: aadwithauthcode
displayName: aadwithauthcode
identityProvider: aad
oauth2:
grantTypes:
authorizationCode:
clientId: 59790825-fdd3-4b10-bc7a-4c3aaf25801d
clientSecret: xxxxxxxxxxxxxxxxxxxxxxxx
resourceUri: https://graph.microsoft.com
scopes: User.Read.All Group.Read.All
redirectUrl: https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1
resourceGroupName: rg1
serviceName: apimService1
The identityProvider property specifies “aad” for Azure Active Directory. The oauth2 block configures the authorization code grant type with clientId and clientSecret from your Azure AD app registration. The resourceUri points to the API you’re calling (Microsoft Graph in this case), and scopes define the permissions requested. The redirectUrl must match the callback URL registered in your Azure AD application.
Connect to Google OAuth for third-party identity
APIs that integrate with Google services need OAuth credentials to access user data like Gmail, Drive, or Calendar.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const authorizationProvider = new azure_native.apimanagement.AuthorizationProvider("authorizationProvider", {
authorizationProviderId: "google",
displayName: "google",
identityProvider: "google",
oauth2: {
grantTypes: {
authorizationCode: {
clientId: "99999999-xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
clientSecret: "XXXXXXXXXXXXXXXXXXXX",
scopes: "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
},
},
redirectUrl: "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resourceGroupName: "rg1",
serviceName: "apimService1",
});
import pulumi
import pulumi_azure_native as azure_native
authorization_provider = azure_native.apimanagement.AuthorizationProvider("authorizationProvider",
authorization_provider_id="google",
display_name="google",
identity_provider="google",
oauth2={
"grant_types": {
"authorization_code": {
"clientId": "99999999-xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
"clientSecret": "XXXXXXXXXXXXXXXXXXXX",
"scopes": "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
},
},
"redirect_url": "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resource_group_name="rg1",
service_name="apimService1")
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewAuthorizationProvider(ctx, "authorizationProvider", &apimanagement.AuthorizationProviderArgs{
AuthorizationProviderId: pulumi.String("google"),
DisplayName: pulumi.String("google"),
IdentityProvider: pulumi.String("google"),
Oauth2: &apimanagement.AuthorizationProviderOAuth2SettingsArgs{
GrantTypes: &apimanagement.AuthorizationProviderOAuth2GrantTypesArgs{
AuthorizationCode: pulumi.StringMap{
"clientId": pulumi.String("99999999-xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"),
"clientSecret": pulumi.String("XXXXXXXXXXXXXXXXXXXX"),
"scopes": pulumi.String("openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"),
},
},
RedirectUrl: pulumi.String("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1"),
},
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var authorizationProvider = new AzureNative.ApiManagement.AuthorizationProvider("authorizationProvider", new()
{
AuthorizationProviderId = "google",
DisplayName = "google",
IdentityProvider = "google",
Oauth2 = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2SettingsArgs
{
GrantTypes = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2GrantTypesArgs
{
AuthorizationCode =
{
{ "clientId", "99999999-xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com" },
{ "clientSecret", "XXXXXXXXXXXXXXXXXXXX" },
{ "scopes", "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email" },
},
},
RedirectUrl = "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
ResourceGroupName = "rg1",
ServiceName = "apimService1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.AuthorizationProvider;
import com.pulumi.azurenative.apimanagement.AuthorizationProviderArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2SettingsArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2GrantTypesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var authorizationProvider = new AuthorizationProvider("authorizationProvider", AuthorizationProviderArgs.builder()
.authorizationProviderId("google")
.displayName("google")
.identityProvider("google")
.oauth2(AuthorizationProviderOAuth2SettingsArgs.builder()
.grantTypes(AuthorizationProviderOAuth2GrantTypesArgs.builder()
.authorizationCode(Map.ofEntries(
Map.entry("clientId", "99999999-xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"),
Map.entry("clientSecret", "XXXXXXXXXXXXXXXXXXXX"),
Map.entry("scopes", "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email")
))
.build())
.redirectUrl("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1")
.build())
.resourceGroupName("rg1")
.serviceName("apimService1")
.build());
}
}
resources:
authorizationProvider:
type: azure-native:apimanagement:AuthorizationProvider
properties:
authorizationProviderId: google
displayName: google
identityProvider: google
oauth2:
grantTypes:
authorizationCode:
clientId: 99999999-xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
clientSecret: XXXXXXXXXXXXXXXXXXXX
scopes: openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
redirectUrl: https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1
resourceGroupName: rg1
serviceName: apimService1
The identityProvider property specifies “google” for Google’s OAuth system. The authorizationCode configuration includes clientId and clientSecret from your Google Cloud Console OAuth application. The scopes property requests OpenID Connect and Google user profile permissions. Unlike Azure AD, Google doesn’t use a resourceUri property; scopes directly reference Google API endpoints.
Beyond these examples
These snippets focus on specific authorization provider features: OAuth2 authorization code flow configuration and Azure AD and Google identity provider integration. They’re intentionally minimal rather than full API authorization solutions.
The examples reference pre-existing infrastructure such as API Management service instances and OAuth application registrations in Azure AD or Google. They focus on configuring the authorization provider rather than provisioning the surrounding API Management infrastructure.
To keep things focused, common authorization patterns are omitted, including:
- Client credentials grant type (shown in EX2 but not selected)
- Token refresh and expiration handling
- Authorization resource creation (separate from provider)
- Policy configuration that references the provider
These omissions are intentional: the goal is to illustrate how each authorization provider feature is wired, not provide drop-in OAuth modules. See the AuthorizationProvider resource reference for all available configuration options.
Let's configure Azure API Management Authorization Providers
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
OAuth Configuration & Identity Providers
How do I configure OAuth2 authorization code flow for Azure AD?
Set
identityProvider to aad and configure oauth2.grantTypes.authorizationCode with clientId, clientSecret, resourceUri, and scopes. For example, use resourceUri as https://graph.microsoft.com and scopes like User.Read.All Group.Read.All.What's the difference between authorization code and client credentials flows for Azure AD?
Authorization code flow includes
clientId and clientSecret in the authorizationCode configuration, while client credentials flow omits these fields and relies on managed identity or other authentication methods.Can I use Google as an identity provider?
Yes, set
identityProvider to google and configure oauth2.grantTypes.authorizationCode with your Google OAuth client credentials and scopes like openid https://www.googleapis.com/auth/userinfo.profile.What redirect URL should I use for OAuth consent?
Use
https://authorization-manager.consent.azure-apim.net/redirect/apim/{serviceName} where {serviceName} matches your API Management service name.Resource Properties & Constraints
What are the character limits for provider names?
Both
displayName and identityProvider must be between 1 and 300 characters long.What properties can't I change after creating the authorization provider?
The
authorizationProviderId, resourceGroupName, and serviceName are immutable and require resource replacement if changed.API Versioning
How do I use a different Azure API version for this resource?
Generate a local SDK package using
pulumi package add azure-native apimanagement [ApiVersion]. Available versions include 2022-04-01-preview, 2022-08-01, 2023-03-01-preview, 2023-05-01-preview, 2023-09-01-preview, 2024-05-01, 2024-06-01-preview, and 2024-10-01-preview.Using a different cloud?
Explore integration guides for other cloud providers: