Azure API 管理 - 如何保护订阅密钥
[英]Azure API Management - How to secure Subscription key
问题描述
Technical stack
技术栈
- API deployed in WebApp部署在 WebApp 中的 API
- API Management deployed and WebApp is configured as Web service URL.已部署 API 管理并将 WebApp 配置为 Web 服务 URL。
- UI developed in Angular application which calls API Management endpoints to display data on UI.在 Angular 应用程序中开发的 UI,它调用 API 管理端点以在 UI 上显示数据。
- IP Authentication is implemented to make sure only allowed users has access to UI & API实施 IP 身份验证以确保只有允许的用户才能访问 UI 和 API
- Subscription is enabled at Product level and key is shared with client for API call订阅在产品级别启用,密钥与客户端共享以进行 API 调用
- Separate product is created for UI and subscription key is used in UI to call API and display data为UI创建单独的产品,在UI中使用订阅密钥调用API和显示数据
Now in this case, subscription key will be visible thru Browser -> Inspect -> Network tab现在在这种情况下,订阅密钥将通过浏览器 -> 检查 -> 网络选项卡可见
We want to make sure that user can't use UI key to make API call Using Proxy will hide the key but now anyone can call proxy url to get data.我们要确保用户不能使用 UI 密钥进行 API 调用,使用代理将隐藏密钥,但现在任何人都可以调用代理 url 来获取数据。
How to make it secure?如何使其安全?
3 个解决方案
解决方案1
1 2020-12-03 18:29:45
Did you find any solution ?你找到任何解决办法了吗? I used nginx as proxy server and kept subscription key there as proxy_set_header subscription-key abc-def when calling microservice.我使用 nginx 作为代理服务器,并在调用微服务时将订阅密钥保存为proxy_set_header subscription-key abc-def 。 This way subscription key wont be exposed to UI and will be forwarded to API Management Service via nginx.这样订阅密钥就不会暴露给 UI,而是通过 nginx 转发给 API 管理服务。
解决方案2
0 2019-07-23 08:58:25
将您的密钥存储在 Azure Key Vault 上并从前端应用程序访问, https://medium.com/@ayanfecrown/azure-key-vault-node-js-step-by-step-tutorial-af131a78e220
解决方案3
-2 已采纳 2019-07-30 10:34:29
As mentioned by nmbrphi, garethb, we can't control what end user see in browser network tab.正如 nmbrphi、garethb 所提到的,我们无法控制最终用户在浏览器网络选项卡中看到的内容。
And as we do not have user authentication available in system and only have IP authentication, can't control usage of UI key directly from API.而且由于我们在系统中没有可用的用户身份验证并且只有 IP 身份验证,因此无法直接从 API 控制 UI 密钥的使用。
To make sure we have more secured UI call, we have implemented custom logic which can be used for any javascript application为了确保我们有更安全的 UI 调用,我们实现了可用于任何 javascript 应用程序的自定义逻辑
Reference http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/参考http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/
This helped me to at least distinguish UI calling API and API directly called from other application/tools like postman.这至少帮助我区分了 UI 调用 API 和直接从其他应用程序/工具(如邮递员)调用的 API。
Thanks all for your help.感谢你的帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.