I am working with azure API management and struggling on authentication.
Though subscriber key is an option but the question lies like if there are going to be 100's of users it will be very difficult to manage keys of all users
Also I dont want azure AD as an authentication mechanism.
I want to use security provided by API management.
I also tried with token based approach of API management but the thing is it do requires subscriber key in the headers. If I want to get rid of subscriber key
what is the best option ?
Related
I'm new to Azure ADB2C, and am confused by some of the terminology.
I am building a motorcycle ride monitoring website that I would like users to be able to log in to by verifying a social media identity (Google & Microsoft Account, for now).
But I only want users who are members of the site to be able to use certain features. For example, I'd like everyone who authenticates to be able to apply for membership, read about the benefits of membership, etc., but I only want members to be able to initiate ride monitoring.
Is the recommended approach here to only authorize (rather than authenticate, if I'm understanding the terminology correctly) certain authenticated users (i.e., members) to use the ride monitoring services?
If so, what's the best way to authorize a member? Look up their email (which I require to be returned from the authentication process) in a standalone database and proceed accordingly? If I go that way, what's the simplest way of adding their membership status to their credential, so I can access it throughout the site?
Apologies for not providing code here. I've got a bit of it hanging around :) but this is more of a design question than a coding one.
Azure AD B2C is primarily Authentication as a Service. There are ways in which it can be used for what you are trying to achieve here.
You can use custom (extension) attributes in AADB2C (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr) in combination with AAD Graph apis (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). So when user authenticates and applies for membership, you can call AAD graph api to set the custom attribute on user object. You can get the extension attribute in a the token after the authentication happens. This token will give you membership of the user.
You can also use AAD Groups instead of custom attributes. In the tenant, create membership groups. Once user authenticates, call AADGraph to set/get user's membership of a group and that will give the authorization information.
You can also do what you described, maintaining the info in a database store of your application. But the first two functionalities provide in-built functionalities for user management.
I was wondering if it's possible to add more then one authentication provider to protect an API endpoint via Azure API gateway.
From the portal, it doesn't seem like it is possible since it only allows you to select one? Wonder if there is a workaround?
For example, I want a user to be able to sign in to google and as well as facebook via openIDConnect. Based on successful validate-jwt in the policy of the API be able to hit the actual endpoints.
Only one provider can be associated with an API at the moment. But this association does not affect runtime request processing in any way, it's purely for documentation and test console purposed. So if those are not important to you it should not be a big deal.
I wanted to implement o365 authentication in my current project. my intention is to standardize/centralize the login of employee and the administrative staff of the portal using Microsoft O365 authentication.
I managed to test out some of the sample projects online and it seems a bit confusing cause there are different ways of authenticating.
My ideal implementation is something as the drawing below.
On the API gateway for employee front end portal, I wanted to implement a gateway to verify the Microsoft access_token passed and obtain the (sid / object_id) to cross check with my employee database for function access.
As for the Administrator front end portal, it will be responsible for sync-ing the users front Azure AD daily automatically or the admin trigger the sync manually.
What confuses me was there are several ways to obtain the access_token, some tokens managed to return the info i wanted but I'm not entirely sure if that is the correct implementation.
For the case of verifying and sync-ing users from azure AD, both accepting different access_token in order to get the data/information.
Anyone expert here mind to guide me to the correct path of implementing the design above if not correct the implementation ?
I've originally used Web API 2 with Individual Accounts so that users can create a new account by supplying a username/email and password which is stored in my DB.
I'm now looking to put this API into Azure API service and have looked at the documentation about authentication but this mostly talks about external authentication. Can we use Individual Accounts with Azure API or will I need to handle this myself within the actual API?
Also, with the third party authentication all the examples use a redirected website (FaceBook, Google) to get the user to log in. I want to call this from a mobile app so does it support extenal authentication using API calls or will I have to do that myself?
Thanks
The is no problem in using the security you originally used. The documentation you are looking at describes how to do claim based authentication, authentication with azure ad and internally secure your application with service principals. When using a mobile device, you can go with claims authentication. However you should first figure out what you really want to do.
I've been playing around with API Management and it looks great. The only issue I have is that when calling an API you need to pass a subscription key, which is linked to a 'User'. In the majority of use cases the caller of our APIs are Applications (back-end services).
Am I supposed to be creating a User account per Application, or is there another way for me to obtain a security key for the App?
I have had a brief look at AD, however I don't want to go down that route straight away.
Thanks
You can create a single "API Consumer" user and use the key assigned to that user for all your back end services. Or you could create a separate user for each of your services. But creating a separate user you would have the ability to independently revoke access to certain services and control rate limiting/quotas independently.