Secure ways to obtain and pass subscription key through APIM using SPA hosted in Storage Account

Question

Secure ways to obtain and pass subscription key through APIM using SPA hosted in Storage Account

hampton123 1,180

Currently I have a self-hosted developer portal in my Azure Storage account. Users sign in via B2C, and then they are able to access whichever APIs are presented on the page that correlate to their input subscription key. Right now, this subscription key is located as a query parameter in the developer portal's URL (hosted by the SPA in Storage Account).

I don't want the URL to contain the subscription key because if the key was publicly shown to users and it is not rotated, then outside users could just sign up through the developer portal, sign in through B2C, and potentially access APIs they should not have access to. What is a secure way to obtain the subscription key associated with the B2C user, and provide that in API requests?

I was thinking that a more secure way to provide the subscription key is to make the API Management Service check the user's B2C token. Then, based on the B2C token, the subscription key associated with the B2C user would be provided through the request headers. For example, a SQL database with each row representing a user would have a column including their subscription key. The B2C token's object id would be prepared with each entry, and then when the user's object id matches a row, the subscription key associated with the B2C token would be passed back to the SPA.

Thank you for your help in advance, and please let me know if anything needs clarification.

3 answers

Your answer

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

MuthuKumaranMurugaachari-MSFT 22,446 Moderator

hampton123 Thanks for posting your question in Microsoft Q&A. I assume you have followed doc: Authenticate with Azure AD B2C for users to sign up/sign in via B2C and then access APIs. You are looking to secure the way to obtain subscription keys. Correct?

You can configure Products in APIM to require approval and users would need to submit a subscription request in the developer portal. Only after the approval of subscription request by admin, users can get subscription keys and access APIs in the product.

Source: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-add-products?tabs=azure-portal#create-and-publish-a-product User's image

With the above approach, still any B2C users can sign up in the developer portal but don't have access to Product's APIs. If you are in need to restrict such sign up, consider implementing delegation endpoint as described in doc: Delegating developer sign-in and sign-up. This provides more flexibility in adding your custom logic in that endpoint and applies for product subscription as well.

I hope this helps and let me know if any questions.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

hampton123 1,180 Reputation points

2023-12-21T16:13:17.02+00:00

Hi Muthu, hope you're doing well and thanks for the quick response!

This is actually the main doc that I've used, I'm not using Azure APIM's built-in developer portal - I created this portal myself.

I'm looking for a secure method for users to provide their subscription keys with their API requests through my developer portal. I have a SPA that (on login) passes the user's B2C token and their subscription key to the API they choose in my developer portal. Right now, however, when they sign in via the SPA they are required to pass their subscription key with the URL of the storage account hosted SPA. The URL currently looks like https://storageaccountname.123.web.core.windows.net?sub-key=subscriptionkeyhere with the sub-key query parameter being the user's subscription key. The B2C token and the subscription key are required for the APIs to execute.

Although the keys are rotatable, I don't want users to be able to see their subscription key in the URL. I was wondering if there was a more secure way for the subscription key to be provided in API requests in the developer portal. Since the subscription key can be passed in the header, I was thinking something like this could be the way to go, but I'm not 100% sure.

Thanks Muthu, I look forward to your response.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T17:03:14.05+00:00

hampton123 You can still delegate product subscription workflow in the self-hosted portal also but make sure CORS settings are enabled as described in Configure CORS settings for developer portal backend doc (see similar discussion).

I recommend following this approach for enabling subscription keys only to certain business use cases.

However, the approach you described may be suitable for specific application scenarios and would be a way to go. Unfortunately, there is no other built-in solutions that could help.
hampton123 1,180 Reputation points

2023-12-21T19:45:51.97+00:00

Hi MuthuKumaranMurugaachari-MSFT,

Thank you for the response! I'm still looking into delegating product subscription workflow as this is the first time I would be using it, but would it work for a consumption-based API Management service? I've tried following the article you sent however I do not see "Delegation" in my API Management service, and I think it is because my API Management service is consumption-based.

If this is not possible, then should I go with attempting to pass the subscription key through the header as previously stated? Thanks again for your assistance.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T20:12:02.39+00:00

hampton123 Yes, the delegation features are not available in consumption tier (only available in Premium, Standard, Basic, and Developer tiers). For consumption tier, exploring that approach makes sense.
hampton123 1,180 Reputation points

2023-12-21T20:32:53.4566667+00:00

MuthuKumaranMurugaachari-MSFT Do you have any recommended approaches for assigning users to subscription keys?

The method that I though of was that the SPA would send a request with the B2C token to an Azure Function after the user logs in, then the Azure Function would access an internal SQL database (containing all tokens and their assigned subscription keys) and return the subscription key in the header to the SPA based on the user's object id. Then the subscription key along with the B2C token would be passed to whichever API is called.

What do you think of this approach? If you know any other secure methods I would love to hear what you think, this is just an initial idea I thought of implementing. Thanks again for your help Muthu!

Share via

Secure ways to obtain and pass subscription key through APIM using SPA hosted in Storage Account

3 answers

Your answer