Skip to content

Generate a token from Entra ID for development

This how-to guides you through the steps required to generate a token that you can use against an API secured with Entra ID in the development environments.

Prerequisites

  1. You will need a trygdeetaten.no user to access the service. Using the nav.no tenant is not supported.

Grant access

Grant access to the token generator service:

app.yaml
spec:
  azure:
    application:
      enabled: true
  accessPolicy:
    inbound:
      rules:
        - application: azure-token-generator
          namespace: aura
          cluster: dev-gcp

Ensure that the API application has configured the appropriate user access policies.

Generate token

The Entra ID token generator supports two use cases:

Generate token on behalf of employee user

  1. Visit https://azure-token-generator.intern.dev.nav.no/api/obo?aud=<audience> in your browser.
    • Replace <audience> with the intended audience of the token, in this case the API application.
    • The audience value must be on the form of <cluster>:<namespace>:<application>
    • For example: dev-gcp:my-team:my-app
  2. You will be redirected to log in at Entra ID (if not already logged in).
  3. After logging in, you should be redirected back to the token generator and presented with a JSON response containing an access_token.
  4. Use the access_token as a Bearer token to consume the API application.

Generate token for application user

  1. Visit https://azure-token-generator.intern.dev.nav.no/api/m2m?aud=<audience> in your browser.
    • Replace <audience> with the intended audience of the token, in this case the API application.
    • The audience value must be on the form of <cluster>:<namespace>:<application>
    • For example: dev-gcp:my-team:my-app
  2. You will be redirected to log in at Entra ID (if not already logged in).
  3. After logging in, you should be redirected back to the token generator and presented with a JSON response containing an access_token.
  4. Use the access_token as a Bearer token to consume the API application.