-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
APIM security recommendations #84
Comments
This seems ok. We need to ensure that APIM - which becomes a bottleneck is scaled and operated sufficiently. I suggest that we create some real code examples on how APIM authenticated with the backend (if they arr not easily available) and also get an impression on any potential performance penalties. In addition - APIM will act as a client towards the API which may also query additional api's in a longer chain. This should also be explored and documents with code examples :) |
Side question -- Microsoft is pushing "subscription keys via headers" to enhance security. While we see that by implementing these parts:
it should provide enough protection. @larskaare @oyron, what are your thoughts on subscription keys as an additional security layer? It looks like the "subscription key functionality" just adds an extra key and the burden of maintaining the keys and their rotation (assuming that authentication/authorization is already configured correctly in the API + token validation is being performed). Microsoft states that without a valid subscription key (when enabled), requests would be "rejected immediately by the API Management gateway." I think that token validation would do the same. ODAMS documentation doesn't provide any clarification on why it should be used and is just referencing Microsoft's docs. Links: |
The text was updated successfully, but these errors were encountered: