Add ability to use API Key authentication
It would be nice to be able to protect API apps with a set of API Keys instead of requiring a user to manually log in. This would be especially helpful for backend APIs that don't require user authorization or are accessed primarily by other servers.
Thank you for your feedback!
We would like to add API Key support to App Service authentication/authorization. I am placing this item in “unplanned” to be used in future planning sessions.
Azure App Service Team
Cody Sigvartson commented
Would be great if this were implemented as stated by Mats. Though it isn't the most secure form of authentication it works very well for a lot of smaller web services. Being such a common authentication practice it should be able to be implemented with azure.
Merging with a duplicate request
Azure App Service Team
agree on this suggestion
Chris Gillum (MSFT) commented
We still haven't decided whether this is something we want to add, given the security weaknesses of API keys. The main worry is folks abusing this feature by embedding API keys in their native client apps and having them discovered by malicious users.
That said, if what you need is service-to-service authentication that doesn't require any manual login, you still have the option of using Azure AD and Service Principal authentication. More details here: https://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-service-principal-auth/
Jerome Brown commented
This was marked "Under Review" over a year ago. Is there an update on the feature request? Several references in the documentation say only Coming Soon,
Mats Hallingström commented
As a user, I should be able to access an App Service by supplying an access token in the request, as an alternative to AAD credentials.
A lot of test tools for SOAP/REST/Web have weak or no support for AAD or oauth2 authentication.
Defining and including a predefined access token in each request would ease test and verification of app and web services.
The alternative is to turn all authentication off, which is not desirable.
This would work in the same way as for Visual Studio Team Services, A user can define a personal access token that allows the same access as an interactive login.
Access tokens can be managed in the app service authentication/authorization settings.
For me that would also be tremendously helpful - though I would additionally like to use user authentication in my case.
This feature would be extremely helpful for what I plan on doing with a web app that will let anonymous users retrieve read only data from my API, and not allow anything but the web app to call the API. I'll use social logins for client side authentication/authorization for users allowed to write data.