API Authentication

Leighton21 21 Reputation points
2020-10-21T14:53:02.823+00:00

Hi All,

We have a number of android devices that we rent out to clients. The devices only have a single accessible app which when it is able to makes a request to an API we have surfaced through APIM to update device health stats. Traditionally we have used ernativean API Key stored on the device (vaulted) to authenticate against the API. The key is shared across the fleet which is not ideal so we are looking at oAuth as an alternative. Users do not login to the app and it is more the device that makes the requests to the API. We use AAD and I was looking at the Device Code Flow as an option but it looks like that a AAD user is still required. Has anyone had any suggestions or experience here and help would be appreciated

Regards

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,647 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,600 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 26,821 Reputation points
    2020-10-21T17:23:55.537+00:00

    You might try using client credentials flow, generate 1 secret per device and securely store it using Android Keystore. You could to implement secret rotation using MS Graph in your API so that your clients get updated secrets from time to time.

    --
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    0 comments No comments