APIM security recommendations

[oyron]

• API backends secured with OAuth2 and OIDC
• Authentication and authorization fully handled in backend
• Set up token validation rules in APIM, as an additional layer of protection
  • Validate token
  • Verify that token is issued by Azure AD
  • Verify token directory = Equinor
• Set up APIM rate limiting
• Production APIs should only be accessible through APIM, to ensure all requests are covered by APIMs features for security, logging and monitoring. This can be set up using one of the following options:
  • Authenticate APIM towards backend using client certificates
  • Authenticate APIM towards backend using OAuth2 with either client credentials or on-behalf-of-flow (note that OBO will prevent the API from doing a second OBO-flow towards another services, as OBO cannot be nested)
  • Use firewall/IP-filtering to limit access to backend, if supported by backend service

[larskaare]

This seems ok. We need to ensure that APIM - which becomes a bottleneck is scaled and operated sufficiently. I suggest that we create some real code examples on how APIM authenticated with the backend (if they arr not easily available) and also get an impression on any potential performance penalties. In addition - APIM will act as a client towards the API which may also query additional api's in a longer chain. This should also be explored and documents with code examples :)

[dbelyaev]

Side question -- Microsoft is pushing "subscription keys via headers" to enhance security.

While we see that by implementing these parts:

Set up token validation rules in APIM as an additional layer of protection:

Validate token
Verify that token is issued by Azure AD
Verify token directory = Equinor

it should provide enough protection.

@larskaare @oyron, what are your thoughts on subscription keys as an additional security layer? It looks like the "subscription key functionality" just adds an extra key and the burden of maintaining the keys and their rotation (assuming that authentication/authorization is already configured correctly in the API + token validation is being performed).

Microsoft states that without a valid subscription key (when enabled), requests would be "rejected immediately by the API Management gateway." I think that token validation would do the same.

ODAMS documentation doesn't provide any clarification on why it should be used and is just referencing Microsoft's docs.

Links:

• Microsoft - Subscriptions in Azure API Management
• ODAMS - Subscription key