How can we improve Azure API Management?

OAuth 2.0 implementation support/Securing APIs using OAuth

A major bonus when using an API management system should be that it helps you secure your backend APIs using standard techniques. Other API management systems (such as Kong, see https://getkong.org/plugins/oauth2-authentication/) have support for this, where the APIm acts as a Bearer token store and validates the tokens for you.

Obviously, this will only work for the Client Credentials and possibly also Resource Owner Password Flows, as the others require additional UI, but still this would be a very nice add-on, which enables you to leverage OAuth for backends which are actually OAuth-agnostic.

Azure APIm would then also need a notion of Client IDs and Client Secrets, and would also need to keep a Authentication Token store somewhere. Implementing this in a - for the developer - nice way would require delegating the registration process completely, and also implementing the Authorization Server completely.

Azure APIm supports OAuth 2.0 very nicely in the portal, but this is more for the backend side, assisting in implementing the OAuth backend.

Are there plans on doing anything like this? Even if you use the AAD, you still end up needing a lot of custom code to even get the Client Credentials Flow up and running.

(Or, which is not entirely out of the question, did I completely get it wrong how you would do this).

Best regards,
Martin

80 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Martin Danielsson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Joakim commented  ·   ·  Flag as inappropriate

    I agree, this seems a bit of a short coming of APIM. To handle this there is a messy configuration and explaination to the developers and service owners. I really hopes this part is going to be cleaned up soon!

  • Veli-Jussi Raitila commented  ·   ·  Flag as inappropriate

    Discussion here https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad indicates that many are struggling with same exact issue. And surprisingly no response.

    People are just using different terminology, such as: "headless integrations", "service-to-service calls", "API-to-API scenarios"... But it's the same problem.

  • Veli-Jussi Raitila commented  ·   ·  Flag as inappropriate

    I'm curious on how people have gone about this. It seems pretty obvious that Azure API Management in its current state does not exactly support exposing APIs which are meant to be consumed by daemon / server applications directly.

    I'm talking about scenarios where the end-user is not involved and a simple two-legged Client Credentials Grant would suffice.

    You can cobble something together, but the end result is not pretty. I think this is a major shortcoming.

  • Martin Danielsson commented  ·   ·  Flag as inappropriate

    Okay, so it seems as if you can do this with Azure Active Directory, but it's not very simple. Apigee Edge is another example on how you could get this kind of functionality into API Management.

Feedback and Knowledge Base