Share via

API with both subscription key and Oauth Method for authentication and authorization

Sumit Gaur 235 Reputation points
2024-08-06T17:05:50.7866667+00:00

Hi,

we have a requirement where we need to expose an API via APIM for both external and internal applications/customers.

For access via the public, we are using OAuth as authentication and authorization mechanism while for our internal application / customers, some of the folks have asked to use the API key for authentication.

I have looked around and could not able to find a solution where i can use both mechanism OAuth and API key in a OR situation meaning when traffic comes from public we validate via OAuth when traffic comes internally we use API Key. i have looked at the property Subscription required but if i check this option it will look for API key in all request coming to APIM and also check header option only validate the values with values defined in the policy for a header which i don't think is a good solution from a security point of view.

so how can i validate the API key without having the subscription required option checked at API level and may be use some sort of logic in API global policy where i can for e.g., based on host name if it is the external host name validate the JWT token, and if it is a internal host name validate the subscription key provided.

in case of an invalid token or API Key we send a 401 back to the client.

can you provide any suggestions / solutions?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,128 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 28,191 Reputation points Microsoft Employee
    2024-08-06T21:46:25.2966667+00:00

    Hi @Sumit Gaur

    Short answer, yes, it is possible to use both OAuth and API keys on your APIM but with some caveats.

    As you've already determined, when you configured the usage of a subscription key on a product, if it's missing, you'll receive a 404. The only way I know of to get around this is by using two separate products for your different customer types.

    1. Create Separate Products:
      • In the APIM portal, create two separate products: one for external clients and one for internal clients.
      • Configure the external product to use OAuth 2.0 by setting up the OAuth 2.0 server settings, including the authorization endpoint, token endpoint, client ID, and client secret.
      • Configure the internal product to require a subscription key.
    2. Assign APIs to Products:
      • Assign the same API to both products. This way, the API can be accessed using either OAuth tokens or subscription keys, depending on the product.
    3. Configure Policies:
      • In the APIM portal, navigate to the "APIs" section and select the API you want to configure.
      • Go to the "Design" tab and select the "Inbound processing" section.
      • Add a policy to validate the OAuth token using the validate-jwt policy for the external product. This policy will check the validity of the OAuth token.
      • Add a policy to validate the subscription key using the check-header policy for the internal product. This policy will ensure that the API key is present in the request headers.

    However, it isn't recommended to protect your API with just a subscription key. You should have another authentication scheme unless the data being returned to internal customers is something low level like a product info or usage information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.