Configuring API authentication and access

1. Configuring API authentication and access

Once we built our API endpoints and exposed them to the world, we will want to ensure that these endpoints are secure.

2. Importance of API security

We don't want anyone to be able to access and modify the data that the endpoints are hiding. This is especially true if such data represents sensitive information, such as personal details, payment transactions, company secrets, and so on.

3. Authentication overview

We will need to remember two key concepts: authentication and authorization. Authentication is the mechanism that forces the originator of the request to prove that they are who they say they are. For example, if a user trying to access a web page in the browser provided the username, they are asked to provide the password to prove that it's really them.

4. Authorization overview

Authorization is used for ensuring that the user is allowed to access the resource he or she is trying to access. For example, it's not enough to be authenticated to access an admin-only area of a website. You also need to have special admin permissions.

5. Weather app example

If we go back to the weather app, any authenticated user should be able to retrieve the weather for their favorite city and set their favorite city. But only a user with special admin privileges should be able to configure the capabilities of the app, such as which providers the app gets its data from.

6. Introduction to OAuth

REST APIs often use Open Authorization (OAuth) as the protocol for both authentication and authorization. While it's not the only way of securing APIs and it's not the easiest to master, it has a very high security rating compared to the alternatives.

7. Google OAuth example

You may have seen how your Google or Facebook credentials can be used to log into websites that you haven't previously registered on. This is how OAuth works. The original trusted provider, such as Google or Facebook, tells the third party website who you are without sharing any of your sensitive details, such as your private password.

8. API key authorization in Azure functions

Sometimes authorization can be done without authentication. In Azure Functions, HTTP triggers can be secured using function keys. Each key is a long string of characters that is very difficult to memorize. Each function has a unique set of keys, including a default key generated during its creation. One of these keys must be included in the request to the HTTP endpoint of the function. Without the key, requests are denied access to the function. The client that wishes to call the function needs to know the right key but doesn't have to provide its own identity.

9. Different scopes of API keys

Different keys have different scopes. A function-key is specific to an individual function. It's like a physical key that unlocks a specific door. A host-level key can be used to call any function within the application. It's like a master key that unlocks any door in the building.

10. API Management authentication

In Azure API Management, authentication is typically achieved by integrating with identity providers such as Entra Id (formerly known as Active Directory), etc. Integration with authentication providers and usage of protocols such as OAuth is much more secure compared to using API keys and it's also much more complex. It's an equivalent of having to have a passport and an appropriate visa at an airport.

11. API Management authorization policies

Authorization is implemented through policies in API Management that define rules for granting or restricting access to API endpoints. For example, policies can restrict access based on user roles, ensuring that only authorized clients can invoke specific APIs.

12. Let's practice!

Let's practice this!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.