Understanding Security Management with the Azure API
Once the APIs are designed and defined, they need to be published so that the users can consume the APIs to develop different applications. When publishing, the most important aspect is the security. How are the consumers of the APIs going to connect and use the exposed functionality? If the APIs are publicly exposed, there is no explicit security required to connect; but, for restricted APIs, an authentication channel needs to be exposed. Options to validate the user include managing users explicitly, or using Identity providers such as Facebook, Hotmail, Google, and so forth to authenticate the user. In this article, we will see how the different security scenarios are exposed in Azure APIs.
To begin with, we will first discuss explicit creation of users and then adding these users to specific groups. Groups are then granted permissions to access to the APIs.
Figure 1: The "Users" and "Groups" screen
Click on the Groups link. It displays a screen where new groups can be created and existing groups are listed. Three groups are created by the system; they are "Administrators", "Developers", and "Guests". It also has an "Add Group" button to add new groups based on requirements. When the user clicks "Add Group", it brings up a screen to key in the group name and description. Save the group and, as a next step, we will add new users.
Click the "Users" link and that brings up a screen that lists the existing users and an option to add or invite new users. To add a new user, click the "Add user" button; this brings up a pop-up window. In the pop-up screen, key in the email address, password, the first name and last name, as shown in Figure 2.
Figure 2: Adding information on the pop-up screen
After the user is created, we will add the user to existing groups. On the "users" page, select the user that you want to add and then click "Add to Group"; it lists the different groups to which the user can be added to, as shown in Figure 3:
Figure 3: The "Users" page
Clicking the group in the drop-down list adds the user to that specific group. You also can add the users to any of the "Products" by clicking the user and then map to any of the subscriptions.
Another option is to use identity providers to authenticate the users. Users can be authenticated against Facebook, Hotmail, Google, Twitter, and the Azure active directory. In this example, we will connect to "Live" — Microsoft — for authentication. To do the same, we would need a client ID and a secret key.
Follow the next steps to generate a client ID with a live account. Navigate to the live app management site and log in using a Microsoft account. Click Create application to create a new application. Enter an Application name and also select a primary language. Click "I Accept".
Figure 4: Creating an Application
After clicking I Accept, it takes you to a screen with Basic Information. On the left, click 'App Settings'.
Figure 5: The Basic Information screen
It displays Client ID & client secret. Copy that information; this will be used in the 'security' section. In the "API management", click Security & select 'Microsoft Account' and then enter the 'Client Id' & 'Client Secret'. This configures the security by using Live ID authentication.
Figure 6: Configuring the security settings
Figure 7: Completing the configuration
The next option for security is certificate authentication. These certificates are used to establish mutual authentication between parties. The client certificates are uploaded to the Azure site. An example would be to get authenticated to access the backend services in a secured manner.
Once the certificate is uploaded, this certificate can be referenced in the API. In the 'API Management' screen, select "APIs" and navigate to the "Security" tab. In the security section, select "Mutual Certificates" and, from the drop-down, select the client certificate, as shown in Figure 8:
Figure 8: Selecting the client certificate
This maps the API with the certificate authentication. These are the few ways to secure the APIs created.
In Azure API Management, once the APIs are created, they also need to be secured to ensure that only developers or consumers have access can use the resources. In this article, we discussed the various options provided by Azure management API manage the security.