APIM AD Oauth2 security - Creating Multiple client ID and Secrete to provide to different Partners consuming the same API (My Organization API ex. Quote Search API) and I should have details which partner called the API based on the token they passed.

Question

Requirement: We have search APIs which we need to be provided to our 100 different partners.
1.) For securing the API we would need to give unique ClientID/Secret to the partner
2.) After the client calls the API, I would need to know which partner has called the API through the token so that I can query the data specific to that partner only and provide data in response.

          In the current world, we are doing this through Oracle API Gateway by generating separate ClientID’s per partner and providing new ClientID’s and Secret to each partner.

          We are currently moving to Azure APIM and when I am trying to do that same in Azure, In Azure I could not figure out the option of having to create multiple ClientID and Secret for the same API within an App. Could you help me how can I attain this?

If I create multiple Apps in Azure AD, my understanding is every time I create an APP I will need to add the ClientID in the “Inbound processing “” Policies” in the API Management  APIs, Where I registered my API’s. Which I don’t want to do as it's an additional manual task for onboarding partners to consume the APIs. Also, I am not sure if the above Inbound Policies can accept multiple ClientID’s

My requirement is:
1.) One-time API registration and if I need to provide the APIs to new Partners, I should be able to just generate the unique ClientID and Secret and provide them these ID's and they should be able to use the API
2.) When the partner calls the API, I should be able to recognize the partner call so that in my downstream based on the partner who called the API, I will search the data specific to that partner and provide in my API response.

Hope I clarified the details here. Please help what option do I have to register the API’s in Azure AD with the above requirement

Answer 1

Hi @Ravi Nagumalli ,

Thanks for reaching out. Apologies for delay in response .

To register APIM as an OAuth Application in Azure AD, the Client ID and Client Secret are just a one-time setup requirement.

You should be able to generate multiple client secrets for the same application, but client id will remain the same. Also, Azure AD token don’t recognize different client secrets, it contains only client Id which would be same from each partner for same API.

In your scenario to achieve this using Azure AD, you need to register your search APIs in Azure AD which means API is protected by Azure now and to access the protected API each partner needs to fetch a token from Azure AD to access the search API further.

In this case, Different partners might be invoking the protected search API from different platforms (Native, Web, Mobile) would need to be registered in Azure AD separately and then they can use different OAuth approaches to fetch the token and pass the token as ‘Bearer Token’ in Authorization Header to access your search API.

Only those front-end applications registered in Azure AD which has permissions to custom API can access the search API. You should be able to identify which partner (client application) is calling the custom API using app_displayName and appId claims in the token access and based on that filter the specific data in the search API.

In case of more questions related to this, we are happy to help and elaborate further.

Thanks,
Shweta

--------------------------------------------------------------

Please remember to "Accept Answer" or "Up-Vote if answer helped you.