Azure API MANAGEMENT - Api security
Question
in my company we are using azure api management. I'm reading the microsoft doc and i'm focused on product and subscription. On 2 api i started to apply the product with related subscription (that i passed to my dev colleagues and they are using with our mobile app). On 99% of api we implemented jwt validation policy as security layer.
One or two api are exposed without subscription or jwt validations, as dev requirement. I don't understand the subscription and their use. I would like to generate a subscription key specific for api without jwt policy, but i think is not the right way becouse the key will be hardcoded into our mobile app and can easily stolen i think.
here policy jwt:
<validate-jwt header-name="Auth-token" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" clock-skew="600">
<issuer-signing-keys>
<key certificate-id="jwt" />
</issuer-signing-keys>
</validate-jwt>
There are some other method on api management to implement for this case? Or subscription is enough?
1 answers
solution1
0 2022-05-30 11:42:13
As you said the subscription key will be hard coded and you also have manually rotate it .
Jwt with bearer tokens are a better way because the tokens have expiration dates this makes them better.
Azure active directory is also good if you want RBAC.
Refer the following documentation for further details.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.