services / Azure / API Management OAuth authorization servers

An API Management OAuth authorization server is the control-plane configuration describing an OAuth 2.0 provider used to authorize APIs and the developer portal (token/authorization endpoints, grant types, scopes, client ID, and a stored client secret).

This configuration governs API authentication for a single function; its stored client secret is a credential, but it is only returned by the dedicated listSecrets action, not by the standard read.


Microsoft.​ApiManagement/​service/​authorizationServers/​listSecrets/​action

Returns the authorization server's secrets (client secret and resource-owner credentials), exporting reusable credential material an attacker can redeem to mint OAuth tokens and pivot into the OAuth-protected backends and identities.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog