|
I have an Azure question, but I figure it'd be appropriate to ask here since I didn't see an Azure thread and it's more of a general question than Azure-specific. My company that I just started working at has various client systems that need to securely access an API we are being tasked to write. One of the first things we want to do is introduce OAuth2 with client credentials flow in order to secure our APIs going forward. Currently our APIs are accessed via API keys, which has been deemed a security risk. Provided we implement OAuth2 is there any downside to configuring Azure to be the authentication provider with the client credentials flow? We would register the API and clients in Azure and assign roles/permissions to the clients and generate a secret key for each client. Our clients would then authenticate in Azure with their secret key and use the access tokens provided by Azure to make requests to the API according to their roles as defined in Azure. My boss is concerned with this approach because "it could introduce a tight coupling between Azure and the client applications" but I don't really know what that means. Especially since the API and the resources/databases will also be deployed to Azure. One alternative he suggested was that we write our own authentication service/API but I really don't want to re-invent the wheel (and do a worse job of it) and I also don't want to waste time since we have a lot of projects we'll be working on in the near future. Does anyone know what my boss could mean by this "tight coupling phrase? And does the approach I outlined make sense or are there downsides with it (big or small)? Mind_Taker fucked around with this message at 04:43 on Oct 21, 2023 |
#
¿
Oct 21, 2023 04:40
|
|
|
|
| # ¿ May 17, 2024 17:28 |
|
|
Obfuscation posted:Yeah I'd like to hear more about why api keys are bad The reason given to us was that API keys are passed with every call and while the keys are still encrypted our security team would prefer us to adopt OAuth2 because the tokens expire after a short duration while API keys are valid indefinitely. I'm no security expert but it sounded reasonable enough to me at the time, however I'd like to hear why OAuth2 wouldn't be necessary in our case.
|
|
#
¿
Oct 21, 2023 13:20
|
|
|
CarForumPoster posted:Because it hampers adoption of your new API as your customers need to do more work to use your API. Meanwhile if you rely on a 3rd party auth provider, if any chain in that auth link gets broken, which literally happened to me yesterday with a thing talking to the MS Graph API, the client secret for the application expired after 2 years so we couldnt get new tokens, then your whole poo poo gets hosed up. Also if they go down, your whole poo poo gets hosed up. Yeah this all makes sense. I think the decision has already been made to move to OAuth2 before I started my position but I'll at least convey some of the downsides.
|
|
#
¿
Oct 21, 2023 15:44
|
|
|
It's a bad question but if it's multiple choice I'd say 0 red triangles because it's only drawing rectangles
Mind_Taker fucked around with this message at 21:42 on Mar 13, 2024 |
|
#
¿
Mar 13, 2024 21:40
|
|