I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
Related
I have API which is hosted in Azure. It is using Microsoft Identity platform for Authorization. Now we need to integrate APIM Gateway for the API. APIM also provides OAuth Authorization. So my question is should I configure OAuth for my API in APIM since Api would be deployed in APIM or I can continue to use Microsoft Identity platform which is doing its job. So I am looking for benefits for using OAuth from APIM rather than throw Microsoft Identity. In other words what would be difference and pros using OAuth vs Microsoft identity which also relies on OAuth?
Each API should validate a JWT access token on every request, then use the token's scopes and claims to authorize access to resources. This is sometimes called a zero trust architecture.
Another important requirement is to avoid revealing sensitive data in tokens, such as emails, to internet clients. The phantom token pattern has more info on this, and involves the use of an API gateway.
I would favour a solution where there is an API gateway in front of your APIs. This is a hosting best practice and also enables you to perform tasks such as cookie and token translation in the gateway.
APIM is one solution so I would favour that type of option if it improves your API security. There are other Azure options though, so it can be worth clarifying the types of things you want to do in gateways before choosing one. The API Gateway Guides may give you some ideas.
Background
I'm looking into securing a selection of APIs for a client. I'm pretty familiar with the Auth0 offering and quite confident that it will serve me well as an auth provider.
The APIs will be deployed on GCP (Google Cloud Platform) and I've been looking into using Apigee to manage the life cycle of my APIs.
Question
Does Apigee offer an auth store for users similar to what Auth0 offers or is Apigee's OAuth implementation limited to application level authentication using Consumer Key and Consumer Secret as described here?
Apigee OAuth implementation is not limited to Consumer Key/Secret (client credentials grant) but you also can implement different OAuth grant types. Apigee can generate/validate JWT and it's own opaque tokens.
The problem is that Apigee does not provide Identity Provider (IdP) service, it means that it does not have a store for user credentials. You may utilize Apigee's BaaS (Backend-as-a-Service) to store users or integrate Apigee with other IdPs, but there's no built-in solution to authenticate users.
I have generated a Client ID and Client Secret for my application using the Google API Console for my Java web application.
I want to generate an access token to be used in my application to authenticate a mailbox and read mails from there with the help of JavaMail API.
This link has some theoretical information but I could not understand how the tokens can be obtained.
Answer will depend upon where is application running as it determines how access token can be received:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 for Client-side
Web Applications OAuth 2.0 for Mobile & Desktop Apps
OAuth 2.0 for TV and Limited-Input Device Applications
There are different alternatives or libraries available to get access token depending upon the type of application and different specific mechanisms are defined around it.
So it will be then much easier to dive-in into the specific options available.
What are some real-world scenarios for 2-legged OAuth?
Is it only applicable for mobile/desktop apps?
2-legged OAuth (aka. the Client Credentials flow in OAuth 2.0) is useful when a client wants to access certain resources without disclosing its primary client credentials to the resource API. The client would authenticate to an Authorization Server to get a derived token that it can present to the resource API to get access to the protected resources.
Getting the token and presenting it is done in a standardized and interoperable way without pestering the resource API with different authentication mechanisms. It also makes revocation of access easier because that is controlled in a centralized fashion on the Authorization Server, independent of the client's primary credentials. See also: How does 2-legged oauth work in OAuth 2.0?
It is applicable across mobile, desktop and web applications although keeping a client secret in mobile and desktop applications is arguably hard so it is most suitable in server-side environments.
A real world scenario is a batch script that fetches data from a remote API and processes it.
2 legged auth is for server to server authentication on behalf of the application with no end-users involved.
For example, your application on Google AppEngine makes a request to Datastore (Database from Google Cloud). This uses 2 legged auth with JWTs.
Instead, if your application makes a request on behalf of the end user to read the user's Google Drive files, 3 legged auth is used.
We want to secure our api using OAuth.
Our server exposes functionalities through APIs. Separate UI applications consume these APIs.
Users use these UI application to access their resources. Since there are only two systems (client and server) involved,
we would like to have 2 legged authorization flow instead of 3legged with redirections. Also we would like have
separate UI (client) application verification once and use this verification code to perform user login and get access token.
Currently we are evaluating spring security framework. Most of spring security tutorials/article talks about 3-legged oAuth with bearer token approach.
I’m not sure if it supports request singing and above mentioned required process. Is there any other open source framework we can use?