Last-mile security with OAuth-enabled APIs


what recommended approach last-mile security (between apim proxy , back-end services) apis protected using oauth 2.0?

seems options are:

  1. on api -> security tab, configure proxy authentication "none", and use ip white-listing ensure apim proxy can communicate back-end service (which must available on public internet).  this approach requires static ip apim available in standard tier (thus more expensive while in development).
  2. on api -> security tab, configure proxy authentication "none", , use shared secret approach, involves using secret, publisher-defined key/value pair in request header coming apim (with special code on back-end verify incoming value).  the drawback approach is less-formal mechanism requires process around regularly rotating secret value.
  3. on api -> security tab, configure proxy authentication "mutual certificates", , specify client certificate in dropdown.  the drawback approach managing cert itself.

"basic authentication" can't used in scenario because of conflicting "authorization" request header (i.e., both basic authentication , oauth 2.0 make use of "authorization" request header there'd no way support both values).  in apim, on api -> security tab if specify proxy authentication = "basic authentication" when api configured use oauth 2.0 receive following error message when saving:

"disable authorization request header token sending method first"

it seems me option 3 ideal.  using mutual certificates secures communication between proxy , back-end service, , works both standard , developer tiers it's inexpensive while in development.  once in production, can combined ip white-listing if desired.

any guidance or suggestions appreciated.

thanks!

ben,

in situation, agree mutual authentication might best choice.

regards,

miao



Microsoft Azure  >  Azure API Management



Comments

Post a Comment

Popular posts from this blog

Azure DocumentDB Owner resource does not exist

having same error microsoft.azure.documents.documentclientexception: message: {"errors":["owner resource not exist"]} , scenario. when deployed webapp azure , try document docdb throws error. docdb exists in azure , contains document looking for. weird local machine(running vs) works fine. i'm using same settings in azure , local. have , idea this. thanks Microsoft Azure  >  Azure Cosmos DB
Read more

job syspolicy_purge_history job fail in sqlserver 2008

Image
hello guys, when installed sqlserver,it automatically created 1 job name job syspolicy_purge_history. but failed @ step 1. the reason is: date                11/6/2010 2:00:00 am log                job history (syspolicy_purge_history) step id                1 server                mxosv-otsdb01 job name                syspolicy_purge_history step name                verify automation enabled. duration                00:00:00 sql severity                16 sql message id                34022 operator emailed                operator net sent                operator paged                retries attempted                0 message executed user: nt authority\system. policy automation turned off. [sqlstate 42000] (error 34022).  the step failed. have run statement: select msdb.dbo.fn_syspolicy_is_automation_enabled the returned valus 0. what can resolve it? or can delete job manually.   thanks in advance. if haven't things want,be
Read more

Trying to register with public marketplace error with 'Get-AzureStackStampInformation'

when trying register against public azure adfs azure stack error below. logs can found at: c:\maslogs\azurestack.azureregistration.2017-10-12.01-31-23.log  and  \\azs-ercs01\c$\maslogs error occurred checking stamp information: system.management.automation.remoteexception: term 'get-azurestackstampinformation' not recognized name of cmdlet, function, script file, or operable program. check spelling of name, or if path included, verify path correct , try again. @ c:\azurestack-tools-master\registration\registerwithazure.psm1:1106 char:5 +     throw "logs can found at: $global:azureregistrationlog  and  \ ... +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + categoryinfo          : operationstopped: (logs can fou... , try again.:string) [], runtimeexception     + fullyqualifiederrorid : logs can found at: c:\maslogs\azurestack.azureregistration.2017-10-12.01-31-23.log  a    nd  \\azs-ercs01\c$\maslogs error occurred chec
Read more