Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing WebApi in Azure Api Management

Tags:

asp.net-web-api

azure

mutual-authentication

azure-api-management

I have deployed my webapi on Azure Websites and exposing it through Azure Api Management Portal. I want to block access on azurewebsites url so that a user can only access my api through azure aoi management proxy through security key. Can you please shed some light on how can this be done. I have heard Mutual Certificates can be used but not finding any article online which describes the process of creating such certificates and configuring web api to effectively use them. My Second question is , Is there a mechanism to get Api Primary key based on UserName / Password and Product name. What would be the best approach regarding keep that api access key. Should client app store it in some config file and this should be obtained programatically at run time?

Many thanks

like image 728
InTheWorldOfCodingApplications Avatar asked Jun 28 '15 12:06

InTheWorldOfCodingApplications

People also ask

Which industry standard authentication model should you use to secure APIs in Azure API Management?

Azure API Management Features Authentication by relying on industry standards such as OAuth 2.0 and OpenID Connect.

How do I authenticate API in Azure?

Authenticate with client certificate The certificate needs to be installed into API Management first and is identified by its thumbprint or certificate ID (resource name). If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID.

1 Answers

There are multiple ways to protect your backend:

  1. Use basic authentication
  2. Use mutual cert authentication https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates
  3. IP-whitelisting. If you have a standard or premium instance, the IP address of the proxy will stay the same.
  4. Use OAuth. An example can be found here:https://channel9.msdn.com/Blogs/AzureApiMgmt/Protecting-Web-API-Backend-with-Azure-Active-Directory-and-API-Management Hope that helps.
like image 191
Miao Jiang Avatar answered Oct 06 '22 00:10

Miao Jiang
Sign in to Comment

Related questions

'pvk2pfx.exe' is not recognized as an internal or external command in command promt
Signalr self-hosted Hub in an Azure Web Job requires elevation?
Azure website IP restriction
Efficient string search in Azure Table Storage column
Force HTTPS on Azure and append URL
Open Active FTP Connection From Azure VM
Atomically increment an integer in a document in Azure DocumentDB
Azure Virtual Machines stuck in Starting mode
Azure .user.ini not working
traffic manager + azure website : how do I configure custom dns ssl
Azure ActiveDirectory Graph API GraphClient not returning AD Groups
URL length in ASP.NET MVC - 260+ characters gives Bad Request - Invalid URL
Akka remote routees hostname configuration issue
Manually publish messages to dead-letter queue?
Session timeout is not sliding in Azure Redis Cache Session State Provider
DocumentDB - Cannot compare two paths in query
Execute an on-demand web job from my ASP.NET website?
Force use of Azure custom domain
Azure Worker Role - Using OnStart() vs. Constructor for Once Only Initialization
Migrate SQL Server database to SQL Azure

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!