What is the recommended approach for System-System integration using Azure Api Management?

Question

What is the recommended approach for System-System integration using Azure Api Management where there are NO USERS involved?

In another words, I have an api exposed on API Management that will be consumed only by other systems acting on their own behalf (like tourism agencies booking hotel rooms). Currently the interested party goes to the developer portal, register himself, the application and gets a token, which will be provided on the "Authorization" header using the "Bearer" scheme

Answer 1

Hello @Leonardo Ferreira - Best practice-wise, the recommendation for securing Service-to-Service communication is to use certificate-based authentication and/or OAuth flow with Client_Credential grant type (aka: two-legged flow): Microsoft identity platform and the OAuth 2.0 client credentials flow.

Since both options operate at different levels of the OSI model, it'd be good to implement both.

Coming to the APIM side of things, it supports both options:

1. How to secure APIs using client certificate authentication in API Management
2. Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD

What you currently have working is an OAuth flow with an Authorization Code grant type configuration based on option #2 referenced above, which is considered a three-legged flow that requires user consent, etc.

Based on what we have above, you sort of have the following options now:

1. Implement #1 above alone
2. Implement #1 and modify your existing OAuth configuration to switch to the Client_Credential grant type.
3. Simply switch to Client_Credential grant type but still introduce certificate in the flow: Azure API management – Enforce use of Certificate in Client Credentials Flow

Lastly, I believe #3 is a great option but it won't hurt to add #1 to the mix too (for an extra layer of security). Hope this helps, let me know if any questions.