question

RaviNagumalli-5886 avatar image
0 Votes"
RaviNagumalli-5886 asked ShwetaMathur commented

APIM AD Oauth2 security - Creating Multiple client ID and Secrete to provide to different Partners consuming the same API (My Organization API ex. Quote Search API) and I should have details which partner called the API based on the token they passed.

Requirement: We have search APIs which we need to be provided to our 100 different partners.
1.) For securing the API we would need to give unique ClientID/Secret to the partner
2.) After the client calls the API, I would need to know which partner has called the API through the token so that I can query the data specific to that partner only and provide data in response.

           In the current world, we are doing this through Oracle API Gateway by generating separate ClientID’s per partner and providing new ClientID’s and Secret to each partner.

           We are currently moving to Azure APIM and when I am trying to do that same in Azure, In Azure I could not figure out the option of having to create multiple ClientID and Secret for the same API within an App. Could you help me how can I attain this?


If I create multiple Apps in Azure AD, my understanding is every time I create an APP I will need to add the ClientID in the “Inbound processing “” Policies” in the API Management  APIs, Where I registered my API’s. Which I don’t want to do as it's an additional manual task for onboarding partners to consume the APIs. Also, I am not sure if the above Inbound Policies can accept multiple ClientID’s

My requirement is:
1.) One-time API registration and if I need to provide the APIs to new Partners, I should be able to just generate the unique ClientID and Secret and provide them these ID's and they should be able to use the API
2.) When the partner calls the API, I should be able to recognize the partner call so that in my downstream based on the partner who called the API, I will search the data specific to that partner and provide in my API response.

Hope I clarified the details here. Please help what option do I have to register the API’s in Azure AD with the above requirement



partner-center-apiazure-dev-tool-integrationsazure-ad-identity-protection
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShwetaMathur avatar image
0 Votes"
ShwetaMathur answered ShwetaMathur commented

Hi @RaviNagumalli-5886,

Thanks for reaching out. Apologies for delay in response .

To register APIM as an OAuth Application in Azure AD, the Client ID and Client Secret are just a one-time setup requirement.

You should be able to generate multiple client secrets for the same application, but client id will remain the same. Also, Azure AD token don’t recognize different client secrets, it contains only client Id which would be same from each partner for same API.

In your scenario to achieve this using Azure AD, you need to register your search APIs in Azure AD which means API is protected by Azure now and to access the protected API each partner needs to fetch a token from Azure AD to access the search API further.

In this case, Different partners might be invoking the protected search API from different platforms (Native, Web, Mobile) would need to be registered in Azure AD separately and then they can use different OAuth approaches to fetch the token and pass the token as ‘Bearer Token’ in Authorization Header to access your search API.

Only those front-end applications registered in Azure AD which has permissions to custom API can access the search API. You should be able to identify which partner (client application) is calling the custom API using app_displayName and appId claims in the token access and based on that filter the specific data in the search API.

168685-sampleimg.png


In case of more questions related to this, we are happy to help and elaborate further.

Thanks,
Shweta

Please remember to "Accept Answer" or "Up-Vote if answer helped you.



sampleimg.png (6.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaviNagumalli-5886 avatar image RaviNagumalli-5886 ·

Hi Shweta,
Thanks for the detailed information on this. I have additional queries around this could you please help :

If my partner is not part of my Azure AD and I just wanted to secure my on-prem APIs and exposed them to my external partners through Azure APIM how can I go ahead with the below requirement :

  1. Expose the on-prem API's to the Public through Aure APIM

  2. If we are providing a token API to Partner with a unique client id/secret I will need to know which partner is calling the transactions API based on the token passed to the transaction API so that I can fetch the parter specific transaction details ONLY and provide them back to the partner as part of API response.


Thanks,
Ravi

0 Votes 0 ·
ShwetaMathur avatar image ShwetaMathur RaviNagumalli-5886 ·

Hi @RaviNagumalli-5886 ,

Please find my response inline:

There are a couple of steps required for this and depending on your current network architecture:

1. Expose the on-prem API's to the Public through Aure APIM

You could put your on-premise APIs into VNET to expose to the public. Please find the reference VNET with APIM in the cloud.

2. If we are providing a token API to Partner with a unique client id/secret I will need to know which partner is calling the transactions API based on the token passed to the transaction API so that I can fetch the parter specific transaction details ONLY and provide them back to the partner as part of API response.

As mentioned above, if your partner is calling the transactions API based on the token which has permission to call your custom API. Those tokens have claims which has "app_display" name and "appId" in the token specific to your partner which you can be retrieved and based on that you can call partner specific transaction details in your application and send specific response back to partner.

Thanks,
Shweta

Please don't forget to click on Accept Answer or upvote button whenever the information provided helps you.

0 Votes 0 ·