Protect Admin REST API of SyncGateway - couchbase

I have an application will request Sync gateway through Admin REST API. So it’s possible to configure the sync gateway to use the client credentials grant flow to request Admin API?
My application and sync gateway are in different network.
The implementation look like this:
. Resource Owner : My application
. Resource Server : Sync Gateway
. Client Application : My application
. Authorization Server : my IDP server
thanks

Sync gateway admin rest API does not need any credentials to access as long as your client know the host or ipaddress of the sync gateway, client should be able to request admin API and client application network should be able to reach the network which sync gateway is hosted

Related

How to access secured API Management APIs linked to an Azure Static Web Application for local development with swa cli

How to call the secured API management linked APIs configured in azure portal when developing locally using SWA CLI? All I observed in the SWA configuration is meant for functions as APIs not the APIM.
https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management
When adding API Management APIs to an azure static web app, an automatic proxy product is created on APIM securing access to the API for this app via /api prefix on the static web app domain. I did not see any mentions of how this works for local development to pass the user claims from SWA emulator to the API via that proxy?
I was trying to do this recently and I don't think it's possible. My solution was to add a proxy to my dev server (in my case vite) to proxy all requests to the /api route to the Api Management URL, setting the necessary subscription key header.

Azure API Management IP for whitelisting

I have a bunch of app services listed in API management. These services call third party clients who want to whitelist my IP
I would like to give them the public IP address of the APIM instance. I tried to check this by having my app service hosted in APIM call a dummy function app I had created. In the dummy function app I logged the header details.
It appeared that the IP coming through was that of the app service and not the APIM instance. I was expecting (and hoping) it to be the APIM IP
See on APIM overview page, public IP will be visible in the top section
APIM is only a gateway in front of app service. It is not a host environment for app service. So if you call 3rd party services from within the app service, the IP of the caller will always be the app service. It won't be the IP of APIM. Actually the call won't go through APIM at all.

Securing free API App Service behind consumption API Management

I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management. Now I want the API to be only accessible through the APIM.
During the free testing phase, i restricted the access to the API to the IP of the APIM. As i do not expect my API to have high traffic and to save costs, i now switched to free and consumption tier.
As my APIM uses the consumption tier, there is no static IP that I could use to restrict the API access.
As my App Service uses a free plan, neither VNet Integration nor incoming client certificates are available.
Is there are a way to secure a free App Service API with a APIM in consumption tier with Azure except from implementing it myself?
You have a few options with Consumption SKU in mind:
Basic auth - make APIM send a well known secret and check for that secret in API App.
Client certificate authentication - make APIM use client cert to connect to API App and check for it there.

How to protect the Backend API against calls other than Azure API Management

I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

openshift 3 REST API authentication

Can we authenticate against OpenShift enterprise 3.2 or 3.3 REST API's using username and password instead of tokens?
Thanks much in advance!
As stated in openshift documentation:
Requests to the OpenShift Container Platform API are authenticated using the following methods:
OAuth Access Tokens
Obtained from the OpenShift Container Platform OAuth server using the /oauth/authorize and /oauth/token endpoints.
Sent as an Authorization: Bearer…​ header or an access_token=…​ query parameter
X.509 Client Certificates
Requires a HTTPS connection to the API server.
Verified by the API server against a trusted certificate authority bundle.
So you need to authenticate using either of these ways