Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APIM security recommendations #84

Open
oyron opened this issue May 5, 2020 · 2 comments
Open

APIM security recommendations #84

oyron opened this issue May 5, 2020 · 2 comments

Comments

@oyron
Copy link
Collaborator

oyron commented May 5, 2020
edited

  • API backends secured with OAuth2 and OIDC
  • Authentication and authorization fully handled in backend
  • Set up token validation rules in APIM, as an additional layer of protection
    • Validate token
    • Verify that token is issued by Azure AD
    • Verify token directory = Equinor
  • Set up APIM rate limiting
  • Production APIs should only be accessible through APIM, to ensure all requests are covered by APIMs features for security, logging and monitoring. This can be set up using one of the following options:
    • Authenticate APIM towards backend using client certificates
    • Authenticate APIM towards backend using OAuth2 with either client credentials or on-behalf-of-flow (note that OBO will prevent the API from doing a second OBO-flow towards another services, as OBO cannot be nested)
    • Use firewall/IP-filtering to limit access to backend, if supported by backend service
@larskaare
Copy link

This seems ok. We need to ensure that APIM - which becomes a bottleneck is scaled and operated sufficiently. I suggest that we create some real code examples on how APIM authenticated with the backend (if they arr not easily available) and also get an impression on any potential performance penalties. In addition - APIM will act as a client towards the API which may also query additional api's in a longer chain. This should also be explored and documents with code examples :)

@dbelyaev
Copy link

Side question -- Microsoft is pushing "subscription keys via headers" to enhance security.

While we see that by implementing these parts:

Set up token validation rules in APIM as an additional layer of protection:

Validate token
Verify that token is issued by Azure AD
Verify token directory = Equinor

it should provide enough protection.

@larskaare @oyron, what are your thoughts on subscription keys as an additional security layer? It looks like the "subscription key functionality" just adds an extra key and the burden of maintaining the keys and their rotation (assuming that authentication/authorization is already configured correctly in the API + token validation is being performed).

Microsoft states that without a valid subscription key (when enabled), requests would be "rejected immediately by the API Management gateway." I think that token validation would do the same.

ODAMS documentation doesn't provide any clarification on why it should be used and is just referencing Microsoft's docs.

Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dbelyaev @oyron @larskaare