Azure API 管理 - 如何保护订阅密钥 [英] Azure API Management - How to secure Subscription key

查看：26 发布时间：2022/1/23 18:33:26 angular security azure-web-app-service azure-api-management

本文介绍了Azure API 管理 - 如何保护订阅密钥的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

Technical stack

API deployed in WebApp
API Management deployed and WebApp is configured as Web service URL.
UI developed in Angular application which calls API Management endpoints to display data on UI.
IP Authentication is implemented to make sure only allowed users has access to UI & API
Subscription is enabled at Product level and key is shared with client for API call
Separate product is created for UI and subscription key is used in UI to call API and display data

Now in this case, subscription key will be visible thru Browser -> Inspect -> Network tab

We want to make sure that user can't use UI key to make API call Using Proxy will hide the key but now anyone can call proxy url to get data.

How to make it secure?

解决方案

As mentioned by nmbrphi, garethb, we can't control what end user see in browser network tab.

And as we do not have user authentication available in system and only have IP authentication, can't control usage of UI key directly from API.

To make sure we have more secured UI call, we have implemented custom logic which can be used for any javascript application

Reference http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/

This helped me to at least distinguish UI calling API and API directly called from other application/tools like postman.

Thanks all for your help.

这篇关于Azure API 管理 - 如何保护订阅密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文