Azure APIM Api - Secure with Oauth2 & Subscription Key ?

Butcher, Daniel 0 Reputation points
2024-09-19T09:32:39.09+00:00

Looking for a little guidance here about best practise.

When creating an api on an existing APIM instance I am securing it with OAuth2 using the "validate-jwt" policy.

Should we also be using the subscription id as part of this process or is OAuth2 enough?

I don't see what additional security a subscription key alongside OAuth2 provides. Are you able to provide any best practise feedback?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,122 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Patchfox 3,921 Reputation points
    2024-09-19T10:26:37.44+00:00

    Hi Butcher, Daniel, I want to help you with your question.

    In the enterprise environment, I would always go the route of additionally securing the Auth Flow with Subscription IDs, unless there are critical or design reasons not to do so.

    OAuth 2 is already very robust in terms of security, but with the SubscriptionID I have another layer of protection and also get additional features in terms of monitoring and management, such as tracking API requests from different clients, enforcing rate limits, or simply withdrawing access


    If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you!


  2. Butcher, Daniel 0 Reputation points
    2024-09-25T13:39:09.6333333+00:00

    Thanks for the response - from what I understand the subscription id is just a basic form of auth and doesn't really provide any additional level of security that we don't already achieve from OAuth.

    Outside of the benefits of monitoring I can't really see the point. You could achieve withdrawing access by removing the secret from the app reg.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.