I'm building a .NET Web API application being hosted in the Azure cloud, that will need to consume a different API hosted in a company's intranet. Assume I'm building both APIs.
Client = Azure .NET Web API Server = Intranet API
I need to know the most secure way to protect requests from client to server. Here is where I've landed:
- 2-Legged OAuth
- Mutual TLS
- Username/Password
I like two legged OAuth for it's simplicity and token approach, however I feel this is insecure due to the fact that if the secret key was compromised, the entire approach is broken.
Mutual TLS seems to be the most secure, albeit with the most work.
Username and password doesn't seem relevant anymore (or as secure as the previous two).
Question Am I stuck with Mutual TLS, or am I incorrect on my assumptions? Also, is there another approach I can take?
Disclaimer - There are similar posts on this, however I don't feel they detail the level of security each brings to the table, nor do they do a good job explaining why they should use one over the other.
