Configuring API authentication and access

Azure API Management

Fiodar Sazanavets

Senior Software Engineer at Microsoft

Importance of API security

HTTP security

  • API endpoints are often public
  • Data behind the APIs needs to be protected
  • Especially applicable to sensitive data
Azure API Management

Authentication overview

  • Authentication and authorization are not the same
  • Authentication proves the identity of the caller
  • Logging in with a username and password is a type of authentication

Sign in form

Azure API Management

Authorization overview

Unsecure vs secure requests

  • Authorization controls permissions
  • An authenticated user can still be unauthorized
  • Example: only admins can access an admin area
Azure API Management

Weather app example

Weather app authorization

Azure API Management

Introduction to OAuth

  • OAuth is used for authentication
  • Also used for authorization
  • Complex security protocol
  • Has a very high security rating

Access token issuing

Azure API Management

Google OAuth example

Google OAuth example

Azure API Management

API key authorization in Azure functions

  • Authentication is not always required for authorization
  • HTTP endpoints can be secured with API keys
  • Long string of characters
  • In Azure Functions default key is generated
  • Key must be included in the request
  • The client needs to know the key
  • The client doesn't need to prove its identity

Setting up an API key in Azure

Azure API Management

Different scopes of API keys

API key scopes in an Azure Function

  • Different scopes for different types of keys
  • Function-level key grants access specific functions
    • Like a physical key that unlocks a specific door
  • Host-level key
    • Grants access to all functions in an app
    • like a master key that unlocks any door in the building
Azure API Management

API Management authentication

  • APIM can be connected to an authentication provider
  • One such provider is Entra ID
    • Formerly knwon as Active directory
  • Integrating with OAuth is more secure than using API keys
    • Much more complex

Enabling Entra ID integration in APIM

Azure API Management

API Management authorization policies

 

Validating JWT in APIM

Authorization is implemented through policies in API Management

  • Policies define access rules

  • Restrict endpoints based on roles

  • Ensure only authorized clients invoke APIs

Azure API Management

Let's practice!

Azure API Management

Preparing Video For Download...