I'm trying to authenticate Azure App Configuration Service with access keys in APIM policies.
Can someone help how we can authenticate Azure App Configuration Service using Access keys in APIM policies.
You will need to implement the HMAC authentication as explained in the document below. There are code samples in a variety of languages in that doc too.
https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-hmac
Related
We want to utilize an external IdP that provides authentication services with Banno. Is there an option to configure it as OIDC IdP and redirect users to authenticate with it?
looking through Banno authentication framework I only see references to pulling data from Banno assuming user was already authenticated. Cannot find any documentation to how to configure redirect-to-IdP for authentation
We don't have documentation specifically about that use case, but we do have docs about our support for OpenID Connect Discovery: https://jackhenry.dev/open-api-docs/consumer-api/api-reference/v0/oauth-and-openid-connect/#openid-connect-discovery
We're aware of folks using Amazon Cognito, Kong, and Firebase with our OIDC Discovery endpoint.
Note that those services may not support Proof Key for Code Exchange (PKCE). If that's the case, then you'll have to have Banno Admin for your financial institution turn off the "Require PKCE" option in the External Application.
How to call the secured API management linked APIs configured in azure portal when developing locally using SWA CLI? All I observed in the SWA configuration is meant for functions as APIs not the APIM.
https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management
When adding API Management APIs to an azure static web app, an automatic proxy product is created on APIM securing access to the API for this app via /api prefix on the static web app domain. I did not see any mentions of how this works for local development to pass the user claims from SWA emulator to the API via that proxy?
I was trying to do this recently and I don't think it's possible. My solution was to add a proxy to my dev server (in my case vite) to proxy all requests to the /api route to the Api Management URL, setting the necessary subscription key header.
We want to make our APIs available to external systems.
Our APIs are protected by "Access tokens" using OAUTH2 and Azure AD B2C as an Identity Provider.
Unfortunately, B2C does not support the "Client Credential Flow", so external systems cannot get tokens from B2C by passing their client id and their secret.
We are thinking of fronting the APIs with Azure API Management, and providing the external systems with Subscription Keys. Then once we verify the subscription key in API Management, we want to acquire an Access Token to call our back-end.
Is this possible? It seems like not because of the Client Credentials flow missing. However, I've seen videos from APIM experts claiming that it is possible. I'm I missing something? Does APIM have special treatment?
How to access APIM developer portal from internet when APIM is kept internal?
I checked some Microsoft document but did not get it how to do it.
You can Integrate API Management in an internal VNET with Application Gateway.
Combining API Management provisioned in an internal VNET with the Application Gateway frontend enables the following scenarios:
Use the same API Management resource for consumption by both internal
consumers and external consumers.
Use a single API Management resource and have a subset of APIs
defined in API Management available for external consumers.
Provide a turn-key way to switch access to API Management from the
public Internet on and off.
Follow this link for more information : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions