Hello @Leonardo Ferreira - Best practice-wise, the recommendation for securing Service-to-Service communication is to use certificate-based authentication and/or OAuth flow with Client_Credential grant type (aka: two-legged flow): Microsoft identity platform and the OAuth 2.0 client credentials flow.
Since both options operate at different levels of the OSI model, it'd be good to implement both.
Coming to the APIM side of things, it supports both options:
- How to secure APIs using client certificate authentication in API Management
- Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD
What you currently have working is an OAuth flow with an Authorization Code grant type configuration based on option #2 referenced above, which is considered a three-legged flow that requires user consent, etc.
Based on what we have above, you sort of have the following options now:
- Implement #1 above alone
- Implement #1 and modify your existing OAuth configuration to switch to the Client_Credential grant type.
- Simply switch to Client_Credential grant type but still introduce certificate in the flow: Azure API management – Enforce use of Certificate in Client Credentials Flow
Lastly, I believe #3 is a great option but it won't hurt to add #1 to the mix too (for an extra layer of security). Hope this helps, let me know if any questions.