Azure API Management - Authenticate and Authorization sync with underlying services

Question

I am new to Azure API Management and will be happy to receive suggestion and advise on my implementation.

I am developing a B2B Api Channel for 3rd parties to call my services via the API Management (APIM) Gateway. On the APIM developers portal I can onboard new clients and generate API key. My struggle is how best to figure out at the underlying services who is calling?

I have considered add the API Key generated in the APIM to a database which the underlying service will call to authenticate, however, the implementation will be manual and will not be in sync when the 3rd party client goes to APIM and regenerate a new API key.

What I want is a solution that auto syncs authorization and authentication between APIM and the underlying services.

Answer 1

Since API keys can be replaced, you better rely on IDs to identify clients.

You can pass a client ID to a backend in a header: https://stackoverflow.com/a/42277313/2579733

Now how do you correlate APIM's client IDs with your backend's client IDs?

If there are only a few clients, you can probably update that association in your backend's database manually. If you can use the clients's email to connect the APIM client and your backend client, that's even easier (you're done).

If you will need to register many clients and the manual approach is not feasible... One way to do it is with Delegated Authentication :

Delegation allows you to use your existing website for handling developer sign in/sign up and subscription to products, as opposed to using the built-in functionality in the developer portal. It enables your website to own the user data and perform the validation of these steps in a custom way.

I never used it but it seems you can transfer the responsibility of creating new clients to a backend service (developed by you).

This way you have access to client emails, you generate IDs and can store the ID relationship in the backend as necessary.