How can we improve Microsoft Azure API Apps?

Add ability to use API Key authentication

It would be nice to be able to protect API apps with a set of API Keys instead of requiring a user to manually log in. This would be especially helpful for backend APIs that don't require user authorization or are accessed primarily by other servers.

167 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Jeff H.Jeff H. shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    unplanned  ·  Azure App Service TeamAdminAzure App Service Team (Admin, Microsoft Azure) responded  · 

    Thank you for your feedback!

    We would like to add API Key support to App Service authentication/authorization. I am placing this item in “unplanned” to be used in future planning sessions.

    Alex
    Azure App Service Team

    8 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Cody SigvartsonCody Sigvartson commented  ·   ·  Flag as inappropriate

        Would be great if this were implemented as stated by Mats. Though it isn't the most secure form of authentication it works very well for a lot of smaller web services. Being such a common authentication practice it should be able to be implemented with azure.

      • Chris Gillum (MSFT)Chris Gillum (MSFT) commented  ·   ·  Flag as inappropriate

        We still haven't decided whether this is something we want to add, given the security weaknesses of API keys. The main worry is folks abusing this feature by embedding API keys in their native client apps and having them discovered by malicious users.

        That said, if what you need is service-to-service authentication that doesn't require any manual login, you still have the option of using Azure AD and Service Principal authentication. More details here: https://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-service-principal-auth/

      • Jerome BrownJerome Brown commented  ·   ·  Flag as inappropriate

        This was marked "Under Review" over a year ago. Is there an update on the feature request? Several references in the documentation say only Coming Soon,

      • Mats HallingströmMats Hallingström commented  ·   ·  Flag as inappropriate

        Description:
        As a user, I should be able to access an App Service by supplying an access token in the request, as an alternative to AAD credentials.

        Purpose:
        A lot of test tools for SOAP/REST/Web have weak or no support for AAD or oauth2 authentication.
        Defining and including a predefined access token in each request would ease test and verification of app and web services.

        The alternative is to turn all authentication off, which is not desirable.


        This would work in the same way as for Visual Studio Team Services, A user can define a personal access token that allows the same access as an interactive login.

        Access tokens can be managed in the app service authentication/authorization settings.

      • enoughenough commented  ·   ·  Flag as inappropriate

        For me that would also be tremendously helpful - though I would additionally like to use user authentication in my case.

      • MikeMike commented  ·   ·  Flag as inappropriate

        This feature would be extremely helpful for what I plan on doing with a web app that will let anonymous users retrieve read only data from my API, and not allow anything but the web app to call the API. I'll use social logins for client side authentication/authorization for users allowed to write data.

      Feedback and Knowledge Base