We currently have a bunch of APIs in monolith form and we are trying to break it into related microservices. We are planning to use Azure API Management and one aspect we are deliberating is how to handle authorization centrally since we have quite a few checks and an individual API needs different permutation and combination of these checks (business logic and involves backend access) before access is granted.
Authentication as such is not an issue as it is AAD based and we can leverage ValidateJWTToken policy for the same. For the next step i.e. authorizing requests for given API is something I am looking options for with respect to what is explained above. Is encapsulating such checks in a separate service and invoking it from APIM as an external service is a way to go? Only catch is each API or each subset of APIs require different checks so not sure how we can manage that unless we maintain sort of a mapping of API x checks or the central service can identify certain roles based on the checks and have individual microservice authorizes based on these roles?
Just looking out for all available options from people who would have worked on similar scenario. Thanks!
