OAuth in Consumption and Basic Tier in Azure

Question

Can we use OAuth in Azure APIM - Consumption or Basic tier ?

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

As per this link we cannot use OAuth in consumption and basic tier
But then why Oauth option is available in azure portal when we create APIM instance in consumption plan
Also please suggest that is there any other way to provide backend security other than OAuth in consumption/basic tier?
Also SSL will not serve our purpose for providing security.(https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients )

Vitaliy Kurokhtin Vitaliy Kurokhtin · Accepted Answer · 2019-09-14T05:43:25

OAuth option is presented in all tiers since it allows you to associate API with OAuth server and that information is used when you export API definition (OpenAPI spec).

But that is all irrelevant for backend security, since auth servers you register only affect API definition and used in test console in Developer portal.

If you really want APIM to rely on OAuth to authenticate backend call you'll need to either provision and rotate token manually and use, for example, set-header policy to add it to every request, or implement full OAuth flow using send-request policy. That is pretty clunky to do.

So a better option would be to rely on client certificates:https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates

OAuth in Consumption and Basic Tier in Azure

1 Answers