Authenticating SIP Messages using Device's OAuth 2.0 Server with Azure AD

You can configure the device to use Azure Active Directory (Azure AD) to authenticate incoming SIP messages based on the OAuth 2.0 protocol. Azure AD is Microsoft's cloud-based identity and access management service, designed for Internet-based applications.

As Azure AD doesn't support OAuth Token Introspection, the device validates the received token using its embedded NGINX server, which simulates an OAuth 2.0 Introspection endpoint.

The SIP UA obtains its token using the Azure AD APIs for identification and token generation, in JSON Web Token (JWT) format, which is a secure signed and encrypted JSON document identifying the user, and includes it in the Authorization header of SIP requests sent to the device. For the device to validate the JWT, it needs the public keys from Azure AD, which it downloads periodically (Azure AD refreshes the keys daily).

When the device receives a SIP request that needs validation, it extracts the token from the 'Authorization: Bearer <token>' header of the SIP message and sends it the NGINX server. NGINX then decrypts the token using the public keys and validates them.

To configure OAuth 2.0 authentication with Azure AD:
1. Make sure that the settings of your Azure AD are appropriately defined to operate with the device. For more information, contact your AudioCodes sales representative.
2. Configure a Remote Web Service to represent the device's embedded NGINX server, acting as the OAuth 2.0 Introspection endpoint:
a. Open the Remote Web Services table (see Configuring Remote Web Services), and then configure a Remote Web Service with the following settings:
'Name': "InternalOauth"
'Type': General
'Path': "introspect"
a. Select the Remote Web Service that you configured, click the HTTP Remote Hosts link located below the table, and then configure an HTTP Remote Host to represent the device's embedded NGINX (OAuth) server, with the following settings:
'Address': "127.0.0.1"
'Port': "321"
'Transport Type': HTTP
3. Open the IP Groups table (see Configuring IP Groups), and then configure an IP Group for the source of the incoming SIP messages with the following settings:
'Authentication Mode': SBC as Server
'Authentication Method List': "register/setup-invite"
'SBC Server Authentication Type': Authenticate with OAuth Server
'OAuth HTTP Service': InternalOauth (i.e., Remote Web Service that you configured previously)
4. Make sure that you have configured a DNS server for the local IP network interface in the IP Interfaces table (see Configuring IP Network Interfaces).
5. Open the OAuth Servers table (see Configuring OAuth 2.0 Servers), and then configure the OAuth 2.0 server for Azure AD with the following settings:
'Base URL': "https://login.microsoftonline.com/<tenant ID, obtained from your Azure AD account>"
'Application ID': Copy-and-paste the Application (client) ID, obtained from your Azure AD account