I am having an angular application (hosted as a web app) that will consume APIs which are exposed through APIM. my concern is, If subscription key and CORS enough for security? or we have to implement any other security feature?
-Rajesh
1 Answers
0
votes
While the Subscription Key is secure enough in general for service-to-service calls, for web apps it would difficult to use it as such. The better approach would be to use Azure AD (B2C) as required.
For this, you could still require CORS setup and in addition, setup OAuth2.0 based on authentication on your SPA and pass tokens in API requests which APIM can validate.
The official doc Protect SPA backend with OAuth 2.0, Azure Active Directory B2C and Azure API Management covers this in detail including all the steps required to set things up.
