question

LeonardoFerreira-1113 avatar image
0 Votes"
LeonardoFerreira-1113 asked MikeUrnun edited

What is the recommended approach for System-System integration using Azure Api Management?

What is the recommended approach for System-System integration using Azure Api Management where there are NO USERS involved?

In another words, I have an api exposed on API Management that will be consumed only by other systems acting on their own behalf (like tourism agencies booking hotel rooms). Currently the interested party goes to the developer portal, register himself, the application and gets a token, which will be provided on the "Authorization" header using the "Bearer" scheme

azure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MikeUrnun avatar image
1 Vote"
MikeUrnun answered MikeUrnun edited

Hello @LeonardoFerreira-1113 - Best practice-wise, the recommendation for securing Service-to-Service communication is to use certificate-based authentication and/or OAuth flow with Client_Credential grant type (aka: two-legged flow): Microsoft identity platform and the OAuth 2.0 client credentials flow.

Since both options operate at different levels of the OSI model, it'd be good to implement both.

Coming to the APIM side of things, it supports both options:

  1. How to secure APIs using client certificate authentication in API Management

  2. Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD

What you currently have working is an OAuth flow with an Authorization Code grant type configuration based on option #2 referenced above, which is considered a three-legged flow that requires user consent, etc.

Based on what we have above, you sort of have the following options now:

  1. Implement #1 above alone

  2. Implement #1 and modify your existing OAuth configuration to switch to the Client_Credential grant type.

  3. Simply switch to Client_Credential grant type but still introduce certificate in the flow: Azure API management – Enforce use of Certificate in Client Credentials Flow

Lastly, I believe #3 is a great option but it won't hurt to add #1 to the mix too (for an extra layer of security). Hope this helps, let me know if any questions.



· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank for your input @MikeUrnun but the "self-serving mode" is not clear to me yet... the tutorials you pointed out seems to fit the "someone over here will do that for you and we will just give you a token" kinda of deal, or am I getting something wrong?

0 Votes 0 ·
MikeUrnun avatar image MikeUrnun LeonardoFerreira-1113 ·

@LeonardoFerreira-1113 Kind of, the two-legged flow basically takes the user context out of the equation and makes the authentication & the token issuing processes only between the two systems which then makes the overall flow a great fit for securing system-to-system communications.

0 Votes 0 ·

@MikeUrnun so, in extreme scenarios, like lets say Facebook, I would have to setup a callcenter where developers would call and ask for my team to create such applications on my AAD and give them the appropriate keys... and in case where a key gets leaked by the partner, he would have to call again asking for the key to be renewed... right?

0 Votes 0 ·
Show more comments