How to design authentication and authorization strategy in micro service architecture using Azure API management?

0
votes

Hi I am designing Micro Services Architecture for my application. I have three Micro services developed in .Net core. I am planning to add API Management in-front of the micro services. When I started reading API Management documentation, I noticed It can handle Azure AD Authentication and Authorization also. User can login to front end SPA application using Authorization code flow with PKCE. Sample architecture I have added below.

Sample Architecture Diagram

I have registered three apps in Azure AD because I want to keep everything separate for some security and permission reasons. . Earlier I had my own .Net core application as API gateway. So I used to obtain token for Gateway app first then using On behalf of flow I was getting token for downstream Micro services. Now plan is to introduce API Management.

If I am using API Management then for my SPA application I should get token but against which micro service?

Can I create one app in azure AD for Azure API management and can I get token for this app using SPA using Authorization code flow. Then Do my API management has capability to obtain tokens for each micro services using On behalf of flow?

Can someone help me in designing this architecture? Any help would be greatly appreciated. Thanks

1
authenticationazure-active-directoryjwtauthorizationazure-api-management

1 Answers

1
votes

If I am using API Management then for my SPA application I should get token but against which micro service?

I think you should get a token and authorize against APIM. Then assuming all of those micro services are all in Azure, I would use managed identities between APIM and each single .net core app.

Can I create one app in azure AD for Azure API management and can I get token for this app using SPA using Authorization code flow. Then Do my API management has capability to obtain tokens for each micro services using On behalf of flow?

If you are asking if it is possible, then the answer is yes.

Sorry if the answer is too broad but it is simply because the question is broad as well. There are many possibilities with this setup. You can for example authorize yourself in one authorization server call APIM with the token and then inside APIM call another authorization server to generate a token for a backend call. Or you can establish once you are in APIM you will make anonymous call to the backend. Or you call APIM without a token and then inside APIM based on some parameter you generate a token and then call the backend with it. As you can see scenarios are pretty much endless, you must make your mind about what you want to achieve and then ask more specific question.