Last-mile security with OAuth-enabled APIs


what recommended approach last-mile security (between apim proxy , back-end services) apis protected using oauth 2.0?

seems options are:

  1. on api -> security tab, configure proxy authentication "none", and use ip white-listing ensure apim proxy can communicate back-end service (which must available on public internet).  this approach requires static ip apim available in standard tier (thus more expensive while in development).
  2. on api -> security tab, configure proxy authentication "none", , use shared secret approach, involves using secret, publisher-defined key/value pair in request header coming apim (with special code on back-end verify incoming value).  the drawback approach is less-formal mechanism requires process around regularly rotating secret value.
  3. on api -> security tab, configure proxy authentication "mutual certificates", , specify client certificate in dropdown.  the drawback approach managing cert itself.

"basic authentication" can't used in scenario because of conflicting "authorization" request header (i.e., both basic authentication , oauth 2.0 make use of "authorization" request header there'd no way support both values).  in apim, on api -> security tab if specify proxy authentication = "basic authentication" when api configured use oauth 2.0 receive following error message when saving:

"disable authorization request header token sending method first"

it seems me option 3 ideal.  using mutual certificates secures communication between proxy , back-end service, , works both standard , developer tiers it's inexpensive while in development.  once in production, can combined ip white-listing if desired.

any guidance or suggestions appreciated.

thanks!

ben,

in situation, agree mutual authentication might best choice.

regards,

miao



Microsoft Azure  >  Azure API Management



Comments

Post a Comment

Popular posts from this blog

Azure DocumentDB Owner resource does not exist

having same error microsoft.azure.documents.documentclientexception: message: {"errors":["owner resource not exist"]} , scenario. when deployed webapp azure , try document docdb throws error. docdb exists in azure , contains document looking for. weird local machine(running vs) works fine. i'm using same settings in azure , local. have , idea this. thanks Microsoft Azure  >  Azure Cosmos DB
Read more

BizTalk Server 2013 Azure VM Log Shipping and HA for hosts

hi , background: for our customer, having a  2 biztalk , 1 sql setup of environment. [biztalk server 2013 azure vms provisioned azure gallery, sql server 2012 azure vm ]. in current configuration, there no high availability or disaster recovery plan set. want implement dr , possibly ha configuration on these servers. i have few questions regarding same. please let me know thoughts on same. currently writing log files (log shipping files) mounted/attached drive same sql server. how move these log files across secondary site since shared storage not supported. in case of sql server crash, losing log files since reside on same server. please share options on how can move these periodically between datacenters. for hosts pop3, ftp need host clustering (which requires biztalk machines present on windows cluster traditionally), please let know how achieve in azure scenario thanks , regards, ujjwal devarapalli -ujjwal you can refer article, issue azure vm lo...
Read more

How to send non-standard Content-Type header ?

hello, my custom client developed send custom content-type header "xyz" (with out "/"). message gone in lcs 2005. after have upgrade lcs 2005 ocs 2007 r2 in test environment. custom client not able send same custom content-type in ocs 2007 r2 used possible send in lcs 2005. below cut ocs 2007 r2 accessedge log file. tl_warn(tf_component) [0]0f68.0bb4::11/08/2010-06:02:51.546.00000de7 (sipstack,ccontenttypeheader::parse:contenttypeheader.cpp(118))( 00000000036249f0 ) exit - media-type syntax error in getting "/" tl_error(tf_component) [0]0f68.0bb4::11/08/2010-06:02:51.546.00000de8 (sipstack,csipmessage::parseallheaders:sipmessage.cpp(6408))( 0000000003566a50 ) exit. failed while parsing header. tl_error(tf_component) [0]0f68.0bb4::11/08/2010-06:02:51.546.00000de9 (sipstack,csiprequest::validateinboundheaders:siprequest.cpp(1391))( 0000000003566a50 ) exit - failed while parsing header. returned 0xc3e93f51(sipproxy_e_invalid_content_type_header)...
Read more