Can I use OAuth Token as an alternative to Ocp-Apim-Subscription-Key?

2
votes

I am looking at using Azure API Management to provide a consistent front end to a number of backend APIs.

Most of the APIs are secured using OAuth 2.0 application flow (ClientID + Client Secret, with the backend API checking claims/scopes). This works great, but when clients use these APIs via APIM, they need to provide an APIM Subscription Key and an OAuth 2.0 Token. I understand that the APIM Subscription Key is used to identity clients to APIM (for the purposes of rate limiting, logging, and the like), and the Token is used for the backend authentication/authorization.

Is there any way that a Client ID could be used as an alternative to the APIM Subscription Key? That is, a client doesn't need to provide a APIM Subscription Key, and the OAuth 2.0 token identity is used for all APIM features (e.g., limit rate by Client ID).

1
azureazure-api-management

1 Answers

2
votes

It is not possible to use OAuth token to identify client, but you can use it for rate-limiting and logging (of sorts). STart by creating a new product that does not require subscription, any API added to that product becomes anonymously accessible. To counter that you can place validate-jwt policy on that product to require OAuth token and check it's claims, or if you're really don't care about token contents just want to know that it is there you can use check-header policy.

Using policy expressions you can do context.Headers.GetValueOrDefault("Authorization").AsJwt() to parse provided header into JWT object model, inspect its claims, and use it in rate-limit-by-key and quota-by-key policies to implement throttling per client.

To make logging work there is no other way at the moment rather that to rely on log-to-eventhub policy and log necessary information yourself. That does mean that you need to maintain EventHub instance and further infrastructure to read records from it and store them somewhere. Some changes are coming to broaden logging capabilities that will make this easier though.