Azure API 管理 - 如何保护订阅密钥 [英] Azure API Management - How to secure Subscription key
问题描述
Technical stack
- API deployed in WebApp
- API Management deployed and WebApp is configured as Web service URL.
- UI developed in Angular application which calls API Management endpoints to display data on UI.
- IP Authentication is implemented to make sure only allowed users has access to UI & API
- Subscription is enabled at Product level and key is shared with client for API call
- Separate product is created for UI and subscription key is used in UI to call API and display data
Now in this case, subscription key will be visible thru Browser -> Inspect -> Network tab
We want to make sure that user can't use UI key to make API call Using Proxy will hide the key but now anyone can call proxy url to get data.
How to make it secure?
As mentioned by nmbrphi, garethb, we can't control what end user see in browser network tab.
And as we do not have user authentication available in system and only have IP authentication, can't control usage of UI key directly from API.
To make sure we have more secured UI call, we have implemented custom logic which can be used for any javascript application
Reference http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/
This helped me to at least distinguish UI calling API and API directly called from other application/tools like postman.
Thanks all for your help.
这篇关于Azure API 管理 - 如何保护订阅密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!