No ratings

How to configure K2 Workflow REST API to authenticate Azure AD users via OAuth


K2 Workflow REST API uses Basic authentication by default. If you have requirements to use the API with OAuth, then additional configurations will be required. Please note that this article only applies to scenario where you want AAD users to have access to the Workflow REST API via OAuth.


You may have come across this article (Configure K2 for Inbound OAuth) which demonstrates what you need to configure to allow the Workflow REST API to use OAuth. That article states you have to add the permission from the "K2 API" app  your AAD app. 




However, you may not be able to find this "K2 API" app when you try to search for it. This article will guide you through on how to create your own "K2 API" app. 



Your K2 environment needs to be configured to allow AAD users to login to K2.  Please refer to this document (Manually Configure K2 for Azure Active Directory) if you have not done so.



  1. Go to and select Azure Active Directory.
  2. From the left menu, select App Registration.
  3. If you have previously manually configured your K2 to use AAD for authentication, you should find the AAD app that you have created previously here.
  4. Click on New Registration to create a new app.
  5. Give the app a name, and enter for the Redirect URI.


  6. Click on Register to create the app.
  7. Once you have created the app, click on it, then go to API permissions.


  8. Add the highlighted permissions shown in the screenshot below:


  9. Click on Grant admin consent.
  10. From the left menu, select Expose an API.


  11. Set the Application ID URI. In theory, this URI can be anything you want.

    Note down the Application ID URL used here as you will need it later in point 19 and 22.

    Once you have set the Application ID URI, click on Add a scope. Configure the scope as per what is shown in the screenshot below.


  12. Click on Add a client application. Provide the client ID of the app that you have created while following the steps in the article Manually Configure K2 for Azure Active Directory to setup the integration between K2 and Azure AD.


  13. Go back to your Azure Active Directory > App Registrations, and look for the app that you have created when setting up the AAD integration with K2.
  14. Go to API permissions, click on Add a permission.
  15. In the popup screen on the right, select My APIs. You should see the API app that you have created. Select it.


  16. Check on the user_impersonation permission, and click Add permissions


  17. You should see the permission you have added in your configured permissions list.


  18. Click on Grant admin consent.
  19. With the API app created, all that is left is to configure your K2. Refer to the article Configure K2 for Inbound OAuth, and follow Step 3: Configure the Bearer Token OAuth resource in K2 and Step 4: Enable the relevant K2 API.

    Under Step 3 point 9 (Configure K2 for Inbound OAuth), the token value for the audience parameter comes from the Application ID URI you have set above in point 11 from this article. If you are using a different Application ID URI, then for the audience parameter, make sure you enter the Application ID URI that you are using. Remember to include the trailing slash (eg.


  20.  When you are done, log on to the web server that is hosting your K2 Workflow REST API.
  21. Go to [Program Files]\K2\WebServices\API\Workflow\V1, and edit web.config.
  22. Look for the Audience key under <appSettings>. Change this value to match the Application ID URL you have set in point 11 and in the OAuth. Remember to include the trailing slash (eg.


  23. Save the changes made to the web.config, and run IISRESET.
  24. To test if the Workflow REST API is working properly with OAuth, you can follow the steps in the article How To: Use Postman to Test the Workflow REST API using OAuth.

Related Links

Labels: (2)
Version history
Last update:
‎03-15-2022 07:46 AM
Updated by: