5

I have deployed my webapi on Azure Websites and exposing it through Azure Api Management Portal. I want to block access on azurewebsites url so that a user can only access my api through azure aoi management proxy through security key. Can you please shed some light on how can this be done. I have heard Mutual Certificates can be used but not finding any article online which describes the process of creating such certificates and configuring web api to effectively use them. My Second question is , Is there a mechanism to get Api Primary key based on UserName / Password and Product name. What would be the best approach regarding keep that api access key. Should client app store it in some config file and this should be obtained programatically at run time?

Many thanks

InTheWorldOfCodingApplications
  • 2,526
  • 6
  • 46
  • 87

1 Answers1

5

There are multiple ways to protect your backend:

  1. Use basic authentication
  2. Use mutual cert authentication https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates
  3. IP-whitelisting. If you have a standard or premium instance, the IP address of the proxy will stay the same.
  4. Use OAuth. An example can be found here:https://channel9.msdn.com/Blogs/AzureApiMgmt/Protecting-Web-API-Backend-with-Azure-Active-Directory-and-API-Management Hope that helps.
Miao Jiang
  • 635
  • 3
  • 4
  • How can we use basic authentication when it's deployed as Azure Website ? If i use OAuth do I need to create users for everyone accessing my web api through Azure Api Portal. Certificate option looks very promising but tutorial does not highlight how to configure Web api for certificates and how to generate certificates – InTheWorldOfCodingApplications Jun 29 '15 at 20:36
  • I am pretty sure Azure Websites (now called Web Apps) supports basic auth, but I don't have documentation on how it can be turned on. If you use OAuth, you don't necessarily need to create each user if you already have a directory of users such as AAD. I heard Azure Web Apps recently add the feature to support cert authN. They are working on documenting the feature. – Miao Jiang Jul 10 '15 at 00:39