What is the recommended approach for System-System integration using Azure Api Management?

Leonardo Ferreira 26 Reputation points
2021-09-09T00:54:55.187+00:00

What is the recommended approach for System-System integration using Azure Api Management where there are NO USERS involved?

In another words, I have an api exposed on API Management that will be consumed only by other systems acting on their own behalf (like tourism agencies booking hotel rooms). Currently the interested party goes to the developer portal, register himself, the application and gets a token, which will be provided on the "Authorization" header using the "Bearer" scheme

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,852 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Mike Urnun 9,776 Reputation points Microsoft Employee
    2021-09-10T00:31:29.22+00:00

    Hello @Leonardo Ferreira - Best practice-wise, the recommendation for securing Service-to-Service communication is to use certificate-based authentication and/or OAuth flow with Client_Credential grant type (aka: two-legged flow): Microsoft identity platform and the OAuth 2.0 client credentials flow.

    Since both options operate at different levels of the OSI model, it'd be good to implement both.

    Coming to the APIM side of things, it supports both options:

    1. How to secure APIs using client certificate authentication in API Management
    2. Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD

    What you currently have working is an OAuth flow with an Authorization Code grant type configuration based on option #2 referenced above, which is considered a three-legged flow that requires user consent, etc.

    Based on what we have above, you sort of have the following options now:

    1. Implement #1 above alone
    2. Implement #1 and modify your existing OAuth configuration to switch to the Client_Credential grant type.
    3. Simply switch to Client_Credential grant type but still introduce certificate in the flow: Azure API management – Enforce use of Certificate in Client Credentials Flow

    Lastly, I believe #3 is a great option but it won't hurt to add #1 to the mix too (for an extra layer of security). Hope this helps, let me know if any questions.

    1 person found this answer helpful.