This is a follow-up to the question about how to secure subscription keys when calling API from client-side code.
I read through Microsoft's documentation that states: "By publishing APIs through API Management, you can easily secure API access using subscription keys." However, if you have a client-side app that wants to call API, the subscription keys will be visible to anyone who inspects the HTTP request in browser web tools.
Now anyone can take your subscription keys and make API calls on your behalf.
Am I missing something here?
Related
I'm looking for a away to protect my APIs in APIM, I really don't understand the difference between Subscription Key and OAuth 2.0 using Access Token. Can we use OAuth2.0 instead of Subscription Key or use both ?
As per my understanding,
In Simple:
Subscription keys are the common way to access the Azure APIs in APIM instance.
If the API requires subscription key to access it by the user, then we call it as secured API. Otherwise, it is unsecured API and mostly used by the public.
But for unsecured access to that certain APIs, configuring another mechanism to secure client access is recommended.
Those other mechanisms to secure access to APIs in APIM were OAuth 2.0, Client Certificates, and Restring caller IPs.
As DeepDave recommended this SO Thread states that,
It is not possible to use OAuth token to identify client, but you can use it for rate-limiting and logging (of sorts).
You can identify the users and their level of access (To how many products/APIs, they have access) easily by using subscription keys because they are associated on 3 scopes like Product level, All APIs level, or an individual level.
OAuth 2.0 provides extra layer of security both in Authentication and Authorization.
To Implement the other mechanisms like OAuth2.0 or other, these references are useful:
Protect APIM using OAuth2.0
API Protecting Mechanisms in Azure
A Workaround of Protecting APIs in Azure API Management using OAuth 2.0 Client Credential Flow & test using Postman
Extra layer of security to avoid unauthorized access to APIs using OAuth 2.0
I have a google cloud function in Java.
Client will invoke the function using HTTP trigger URL.
But that is not secure. I have gone through some docs saying that you should pass a token or client ID and then verify it in server side.
Can anyone explain that in detail and please provide a code example if any.
My doubt is to authenticate the client while they invoke the function using Http trigger
This page explains quite well all the capacity that you have to authenticate a requester on Cloud Functions.
If you have users, the best way is to use Firebase Auth (our Google Cloud Identity Platform which is simply a more advance solution than Firebase Auth with more features)
However, you need to grant all you user with cloudfunction.invoker role, to allow them to invoke the Cloud Functions. It could be difficult. You can also perform the check on your side, but in this case you remove the security (filter) layer of google and you have to check all the traffic by yourselves (not really safe, in term of billing and in case of attack).
The latest solution, API keys, is not recommended, especially for the users. But for machine to machine it's sometime the only solution. However, there isn't out of the box solution and for this I wrote an article, that explains how to create a Cloud Endpoint (or now a Cloud API Gateway which is the serverless solution of Cloud Endpoint with ESPv2) to accept API Keys.
With this latest solution, if you change your security definition, you can also accept OAuth2 tokens coming from Firebase Auth (or Cloud Identity Platform), but this time, you don't need to grant all the users on your Cloud Functions IAM role. The token only need to be valid and it's the Cloud Endpoint service account which is used to perform the call (and thus which needs to be authorized on the Cloud Functions).
In addition, because you can accept OAuth2 token, you can also accept non Google token, and thus have your users in any IDP OAuth2 compliant (KeyCloak, Okta,...)
You could use external OAuth server like keycloack (https://github.com/keycloak/keycloak), or use somethging like Json Web Tokens -- https://jwt.io/ -- available for various languages, siutable for microservices.
I have an enpoint in my MERN app which I would like to expose to developers.
I came across APIM and would like to use it.
After going to the documentation I would like to know how do I can use APIM for my specific enpoint and where I allow users to generate API's in my client side react app.
I am also going through the API management API. but don't know how to generate user specific API keys...
You could simply mimic what the Developer Portal does using APIMs REST API.
If you are using the Consumption Tier of APIM, you can just create a standalone subscription using the Create or Update Subscription API. Yon don't have to set properties.ownerId in the request payload here.
On the other tiers, standalone subscriptions are not supported yet (but will be as mentioned in the official announcement blog under New Features), so you will have to create a user first using the Create or Update User API and then create a new subscription mentioning this user under properties.ownerId as /users/{userId}.
Since these REST APIs call the Azure Management API, you shouldn't be making these requests from the client and instead should be calling this from your backend.
I was wondering if someone was able to provide some information regarding the Azure Management Portal. My question is whether the Portal can cater for stubbing APIs?
I have added an API via the Portal as well as some operations however, the documentation isn't clear whether the real API has to be published to Azure.. I was thinking I can add example requests and responses without a real API behind it, i.e. a stub?
You can add a stub easily enough. See the default 'echo' endpoint that comes with each new API that you add to API Management. Copy that pattern and you can build a stub. The API Management documention is some of the better content for Azure so I'd recommend reading it.
I'm currently working in HTTP JSON API for a touristic webapp. The webapp will be developed by a third-party company and it'll consume the API within the browser.
So I need for the API some sort of authentication to the third-party webapp can consume it. I've been researching a little bit about OAuth, but with this, I have a solution for a user-wide but not for application-wide authorization.
Because the webapp will consume the API within the browser(with Ajax), I'm concerned they will have to put the credentials to consume the API in the user browser.
Another solution would be place the credentials for the API in the server-side, but this don't depend on me.
You could always use something similar to google's method, with a client ID and then a private key used to generate a signature.
https://developers.google.com/maps/documentation/business/webservices#generating_valid_signatures
That page has some code samples as well.