Secure APIs

Question 1

What is the most common way to secure APIs?

Answer 1

• Using subscription key
• devs who need to consume the published API must include a valid subscription key in the HTTP requests when they make calls to those APIs
• APIM gateway rejects calls without a sub key and calls arent forwarded to backend services

Question 2

What is a subscription in APIM?

Answer 2

• Required for a sub key
• a named container for a pair of sub keys
• devs who need to consume API can get subs, they dont need approval from API publishers
• Publishers can also create subs directly for consumers
• has a primary and secondary key which avoids downtime when needing to regen keys

Question 3

What us a subscription key?

Answer 3

• unique auto generated key that can be passed through in headers of a client requests or as a query string param
• key linked to sub which can be scoped to different areas
• scopes are all APIs, single API or product
• Apps that call protected APIs must have a key in each request
• Can regen keys at any time e.g. if we suspect one has been shared with unauth user

Question 4

How do subscriptions work with products?

Answer 4

• for products where subs are enabled clients must supply a key when making calls to APIs in that product
• devs can obtain a key by submitting a sub request
• if request is approved the key must be sent to them in secure format

Question 5

What is header name and query string for sub key?

Answer 5

Ocp-Apim-Subscription-key and subscription-key

Question 6

How can I test out API calls?

Answer 6

• dev portal or CLI tools such as CURL

Curl –header “Ocp-Apim-Subscription-key: <key>" https://<apim>.azure-api.net/api/path</apim></key>

or

Curl https://<apim>.azure-api.net/api/path?subscription-key=<key></key></apim>

Question 7

What are certs in APIM?

Answer 7

• can be used to provides TLS mutual auth between the client and the API gateway
• can configure the APIM gateway to allow only requests with certs containing a specific thumbprint
• handled through inbound policies

Question 8

What can APIM gateway check for to ensure security?

Answer 8

• certificate authority
• thumbprint
• subject
• expiration date

Question 9

How can we verify a cert?

Answer 9

• certs are signed to ensure they arent tampered with
• check who issues cert
• if the cert is issued by a partner verify that it came from them

Question 10

What is the APIM consumption tier and how does it relate to certs?

Answer 10

• designed to conform with serverless design principles such as Azure functions
• must explicitly enable the use of client certs

Question 11

How can we check thumbprint or client cert? What would the policy statement look like?

Answer 11

• ensures that the values in the cert havent been altered since the cert was issued

<choose>
<when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "desired-thumbprint")" >
<return-response> <set-status></set-status></return-response>
</when>
</choose>

Question 12

How can we check thumbprint against certs uploaded to APIM? What would the policy statement look like?

Answer 12

• usually each customer or partner company would pass a different cert with a different thumbprint
• obtain the certs from your partners and use the client certificates page in the portal to upload them to APIM
• Can then use the following…

<when>
</when>

Question 13

How can we check the issuer and subject of a client cert?

Answer 13

<when condition=”@(context.Request.Certificate == null || context.Request.Certificate.Issuer != “trusted-issuer” || context.Request.Certificate.SubjectName.Name != “expected-subject-name”)” >

Question 14

Command to create APIM?

Answer 14

az apim create