Authenticating SIP Messages using Device's OAuth 2.0 Server with Microsoft Entra ID

You can configure the device to use Microsoft Entra ID (formerly, Azure Active Directory) to authenticate incoming SIP messages based on the OAuth 2.0 protocol. Microsoft Entra ID is a cloud-based identity and access management service, designed for Internet-based applications.

As Microsoft Entra ID doesn't support OAuth Token Introspection, the device validates the received token using its embedded NGINX server, which simulates an OAuth 2.0 Introspection endpoint.

The SIP UA obtains its token using the Microsoft Entra ID APIs for identification and token generation, in JSON Web Token (JWT) format, which is a secure signed and encrypted JSON document identifying the user, and includes it in the Authorization header of SIP requests sent to the device. For the device to validate the JWT, it needs the public keys from Microsoft Entra ID, which it downloads periodically (Microsoft Entra ID refreshes keys daily).

When the device receives a SIP request that needs validation, it extracts the token from the 'Authorization: Bearer <token>' header of the SIP message and sends it the NGINX server. NGINX then decrypts the token using the public keys and validates them.

➢

To configure OAuth 2.0 authentication with Microsoft Entra ID:

1.

Make sure that the settings of your Microsoft Entra ID are appropriately defined to operate with the device. For more information, contact your AudioCodes sales representative.

2.

Configure a Remote Web Service to represent the device's embedded NGINX server, acting as the OAuth 2.0 Introspection endpoint:

a.

Open the Remote Web Services table (see Configuring Remote Web Services), and then configure a Remote Web Service with the following settings:

◆

'Name': "InternalOauth"

◆

'Type': General

◆

'Path': "introspect"

a.

Select the Remote Web Service that you configured, click the HTTP Remote Hosts link located below the table, and then configure an HTTP Remote Host to represent the device's embedded NGINX (OAuth) server, with the following settings:

◆

'Address': "127.0.0.1"

◆

'Port': "321"

◆

'Transport Type': HTTP

3.

Open the IP Groups table (see Configuring IP Groups), and then configure an IP Group for the source of the incoming SIP messages with the following settings:

●

'Authentication Mode': SBC as Server

●

'Authentication Method List': "register/setup-invite"

●

'SBC Server Authentication Type': Authenticate with OAuth Server

●

'OAuth HTTP Service': Internal Oauth (i.e., Remote Web Service that you configured previously)

4.

Make sure that you have configured a DNS server for the local IP network interface in the IP Interfaces table (see Configuring IP Network Interfaces).

5.

Open the OAuth Servers table (see Configuring OAuth 2.0 Servers), and then configure the OAuth 2.0 server for Microsoft Entra ID with the following settings:

●

'Base URL': "https://login.microsoftonline.com/<tenant ID, obtained from your Microsoft Entra ID account>".

●

'Application ID': Copy-and-paste the Application (client) ID, obtained from your Microsoft Entra ID account.