I have created API and achieved functionality of subscription + certificate-based authetication with the help of https://docs.microsoft.com/en-us/learn/modules/control-authentication-with-apim/1-introduction.This implementation currently providing security to a particular user. If I provide the same subscription and certificate to another user, then also API is accessed. Would you please explain how to avoid this scenario? Would you please guide me on how to provide machine-based certified access by Azure API management?
0
votes
According to his doc you can see the validation of the certificate, and you can know the reason for why any user with correct certificate(and subscription key, sub key is generated for api, it can be reused) can access API. And based on 'machine-based certificate' u said above, I think you may wanna a solution to validate different users. So would you like to use OAuth2.0 to secure access to APIs? i.stack.imgur.com/PPDWs.png
- tiny-wa
1 Answers
1
votes
According to the tutorial you provided in the question, there's several properties for users to set the validation policy. And the sample policy in the practice is based on Thumbprint like <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "desired-thumbprint")" >
This leads to the scenario you mentioned in the question. And if you wanna set machine-based certified access policy, you need to change the judge condition. For example, you'd like to make your API be accessible for trusted subject, you can change the policy like this:
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate == null
|| context.Request.Certificate.Issuer != "CN=client-daemon.mycustomdomain.com, OU=Azure, O=tosokr.github.io, L=Amsterdam, S=North Holland, C=NL"
|| context.Request.Certificate.SubjectName.Name != "CN=*.mycustomdomain.com")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
</inbound>
More samples could refer to this blog.
