Share via

API-Managment Securing and Products

McAninch, Robin 51 Reputation points
2021-01-25T21:45:23.297+00:00

Hi
This is probably a stupid or at best awkward question. We had an api secured in Azure AD with roles(scopes) associated with it and a Client ID also created in Azure AD in a headless (daemon) process. The .net core API had Authorize tags and in the methods I used HttpContext.ValidateAppRole("Scope") to limit access. We have been directed to use Api-Management in its place which is fine. I mention this to illustrate the mindset.

We had an environment set up for us in test to play with. It has been explained to me that we need to have the client authenticate to api-management using a custom client ID/client secret then from there it needs to call a separate client id/client secret that is the only access to the underlying api so many (in theory clients) call with their own keys the api-management but only 1 call to the backend api.

To me it seems that I have lost the app roles since the calls are being funneled through the secondary non-published call so I thought I could build products for clients to replace this loss but here is where I get lost. A subscription key at the product level works but that isn't enough security and each client needs their own client id and client secret. How do you set this up and tie in the product or am I off track. If authentication is truly general at the highest level and points back to our Azure AD and the authorization is the product subscription how do I set this up? Any help would be appreciated as perhaps I am finding my answer in the documentation but not realizing what I am looking at.

Thank you.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,175 questions
Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2021-01-28T21:23:49.717+00:00

    Hello @McAninch, Robin , my sincere apologies for the delay.

    Currently API Management supports following mechanisms in securing access to API's (Apart from Subscriptions)

    1. OAuth2.0
    2. Client certificates
    3. Restrict caller IPs

    By following the OAuth 2.0 tutorial above you can secure you backend application using Azure AD and register and grant permission to client application as required in Azure AD. You can also enable OAuth 2.0 user authorization in the Developer Console. Please let me know if there are any concerns here. Additionally you can also through this documentation for Developer portal to Authorize developer accounts by using Azure Active Directory or authorize developer accounts using OAuth 2.0.

    It might also help if you go through this tutorial to understand more about how to create groups and associate them with products. Thank you!

    Please let me know if there are any concerns, I will be glad to continue with our discussion. Thank you!

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.