question

JatinGupta-4665 avatar image
0 Votes"
JatinGupta-4665 asked ·

API management authentication without subscription key

I am very new to Azure Api management. This is my 2nd day with Azure cloud and Api management. So my question may sound very naive.

I am using Bubble a no code solution as the front end. It handles my user authentication and authorization. I want to use API management to be connected with Bubble. Bubble can call apis with an inbuilt plugin. But the problem is that users can see the network calls in the browser and see the api tokens. If I would have been using JWT authentication, every user would have their own JWT token and it would not be a problem for me.

But right now, I am using a global key, which is subscription key from API management to access the data from bubble. If a logged in bubble user gets hold of the key from the browser and pass in the right params, they will be able to access the data without any fail. This can continue for a long time as the keys are not update as frequently as JWT.

How to I authenticate in API management that the call I am getting is from an authenticated bubble user. I read on the documentation that there are three ways to connect to API management.
1. Basic auth
2. Certificates
3. Azure active directory

I can not use Baisc auth and I do not have user name and password in the front end. It is managed by bubble. I do not understand how Certificates and Azure active directory can help me with this problem.

My question is similar to this question just with different front end: https://stackoverflow.com/questions/57111256/azure-api-management-how-to-secure-subscription-key

I am sorry if this sounds like more of a bubble question. But any help would be appreciated.



azure-api-management
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

NorSardou avatar image
1 Vote"
NorSardou answered ·

Hi @JatinGupta-4665

You can use the Validate-JWT inbound policy to ensure there is a valid jwt token in the request.

 <validate-jwt header-name="Authorization" require-scheme="Bearer">
     <issuer-signing-keys>
         <key>{<!-- -->{jwt-signing-key}}</key>  <!-- signing key specified as a named value -->
     </issuer-signing-keys>
     <audiences>
         <audience>@(context.Request.OriginalUrl.Host)</audience>  <!-- audience is set to API Management host name -->
     </audiences>
     <issuers>
         <issuer>http://contoso.com/</issuer>
     </issuers>
 </validate-jwt>



· 4 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for replying to my question.
I understand that I can use to check my JWT token. But the problem is how do I generate/issue the JWT token?

0 Votes 0 ·

You need a public endpoint to authenticate users first.
It can be either an internal service or external as Azure AD.

This service will authenticate the user and issue the jwt token. API Management will then validate the jwt token for each request (either by using the signing key or the azure ad account).

You can follow this Microsoft documentation to enable it using Azure AD.
You also have a list of sample codes to generate a client for Azure AD authentication.

0 Votes 0 ·

Can I use some policy to extract Subscription key from my jwt token and check it's validity?

In this way , I just have to pass jwt token and not the Ocp-xxxx-key..
And I can enable "Required Subscription" and use Azure's analytics also with my own Authorization

0 Votes 0 ·

@NorSardou How does this work with multiple Api's in the same APIM instance?

Example, I have 3 api's: Person, Account, Organization

I have three AAD app registrations (service principals) (A person one, an account one, an organization one)

My API users are using the OAUTH flow to get a bearer / auth (JWT) token and hand it to APIM.

This is what I think you are describing...

But how do I ensure that the person service principal isn't being used for the account api?

In other words, I believe you are merely authenticating via the above, not authorizing. I believe the above policy say any person who can login and get a valid JWT from AAD can use the api.

This doesnt work if you have more than one API in APIM.

How do somehow attache AAD App registration to a particular api, so I can authorize which can use which api.

0 Votes 0 ·